1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-12-21 15:18:51 -05:00

0.3: Completed copy edit; clarified several points in the text; corrected several examples.

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@2399 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Peter Saint-Andre 2008-10-16 18:15:31 +00:00
parent 8887a775e6
commit b625cf91d9

View File

@ -7,7 +7,7 @@
<xep>
<header>
<title>Server Dialback</title>
<abstract>This specification defines the Server Dialback protocol, which is used between XMPP servers to provide identity verification. Server Dialback uses the Domain Name System (DNS) as the basis for verifying identity; the basic approach is that when a receiving server receives a server-to-server connection request from an originating server, it does not accept the request until it has verified a key with an authoritative server for the domain asserted by the originating server. Although Server Dialback does not provide strong authentication or trusted federation and although it is subject to DNS poisoning attacks, since its development in the year 2000 it has effectively prevented most instances of address spoofing on the XMPP network.</abstract>
<abstract>This specification defines the Server Dialback protocol, which is used between XMPP servers to provide identity verification. Server Dialback uses the Domain Name System (DNS) as the basis for verifying identity; the basic approach is that when a receiving server receives a server-to-server connection request from an originating server, it does not accept the request until it has verified a key with an authoritative server for the domain asserted by the originating server. Although Server Dialback does not provide strong authentication or trusted federation and although it is subject to DNS poisoning attacks, it has effectively prevented most instances of address spoofing on the XMPP network since its development in the year 2000.</abstract>
&LEGALNOTICE;
<number>0220</number>
<status>Experimental</status>
@ -22,6 +22,12 @@
<shortname>dialback</shortname>
&stpeter;
&jer;
<revision>
<version>0.3</version>
<date>2008-10-16</date>
<initials>psa</initials>
<remark><p>Completed copy edit; clarified several points in the text; corrected several examples.</p></remark>
</revision>
<revision>
<version>0.2</version>
<date>2008-06-18</date>
@ -59,18 +65,19 @@
<section1 topic="Introduction" anchor="intro">
<section2 topic="Why Dialback?" anchor="intro-why">
<p>When Jabber technologies were first developed in 1998, they were conceived of as a client-server system similar to email, wherein a client would connect to a server in order to communicate with other clients. Similarly, servers would connect with peer servers to provide inter-domain communication (often called "federation"). In a system that allows federation, it is important for a server to be able to determine the identity of a peer server; accepting a connection from any peer without determining its identity would result in the use of merely asserted identities and a completely uncontrolled approach to federation, which would rapidly devolve into chaos on the open Internet. Clearly such a state of affairs would be unsustainable for a network protocol aiming for widespread deployment.</p>
<p>When Jabber technologies were first developed in 1998, they were conceived of as a client-server system similar to email, wherein a client would connect to a server in order to communicate with other clients. Similarly, servers would connect with peer servers to provide inter-domain communication (often called "federation"). In a system that allows federation, it is important for a server to be able to determine the identity of a peer server; accepting a connection from any peer without determining its identity would result in the use of merely asserted identities and a completely uncontrolled approach to federation, which on the open Internet would rapidly devolve into chaos. Clearly such a state of affairs would be unsustainable for a network protocol aiming for widespread deployment.</p>
<p>Unfortunately, that was the state of affairs on the Jabber network during the earliest releases of the original &jabberd; server codebase (up through the 1.0 release in May 2000). Therefore the open-source developer community designed a protocol ("Server Dialback") for weak identity verification based on the Domain Name System (DNS), built support for that protocol into the jabberd 1.2 server (released in October 2000), and mandated support for that protocol on the emerging Jabber server network.</p>
<p>When the core Jabber protocols were formalized by the XMPP Working Group of the &IETF; in 2002-2004, support for strong identity verification was added. That support takes the form of Transport Layer Security (TLS) for encryption of server-to-server XML streams and the Simple Authentication and Security Layer (SASL) for authentication of such streams, using digital certificates issued by trusted root certification authorities (CAs). Documentation of TLS and SASL within XMPP is provided in &xmppcore;. However, the Server Dialback protocol is still in wide use, and probably will be for the foreseeable future given the difficulty (real or perceived) of obtaining digital certificates issued by common certification authorities (CAs). Therefore it is important to maintain accurate documentation of the Server Dialback protocol. Such documentation was originally provided in &rfc3920;. Although that documentation was removed from &rfc3920bis;, it is still provided in this specification for the sake of interoperability.</p>
<p>When the core Jabber protocols were formalized by the XMPP Working Group of the &IETF; in 2002-2004, support for strong identity verification was added. That support takes the form of Transport Layer Security (TLS) for encryption of server-to-server XML streams and the Simple Authentication and Security Layer (SASL) for authentication of such streams, using digital certificates issued by trusted root certificate authorities (CAs). Documentation of TLS and SASL within XMPP is provided in &xmppcore;. However, the Server Dialback protocol is still in wide use, and probably will be for the foreseeable future given the difficulty (real or perceived) of obtaining digital certificates issued by common CAs. (The &XSF; has worked to make certificates easier to obtain by running the &XMPPICA;.)</p>
<p>Therefore it is important to maintain accurate documentation of the Server Dialback protocol. Such documentation was originally provided in &rfc3920;. Although that documentation was removed from &rfc3920bis;, it is still provided in this specification for the sake of interoperability.</p>
</section2>
<section2 topic="Federation Models" anchor="intro-models">
<p>There are at least four levels of server-to-server federation in Jabber/XMPP networks:</p>
<ol start='1'>
<li><p>Permissive Federation -- a server accepts a connection from any other peer on the network, even without verifiying the identity of the peer based on DNS lookups. The lack of peer verification or authentication means that domains can be spoofed.</p></li>
<li><p>Verified Federation -- a server accepts a connection from a peer only after the identity of the peer has been weakly verified via based on information obtained via the Domain Name System (DNS). However, the connection is not encrypted or authenticated. The use of identity verification effectively prevents domain spoofing, but federation requires proper DNS setup and is still subject to DNS poisoning attacks.</p></li>
<li><p>Encrypted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) as defined for XMPP in &rfc3920; and the peer presents a digital certificate. However, the certificate may be self-signed, in which case mutual authentication is typically not possible. Therefore, after STARTTLS negotiation the parties proceed to weakly verify identity based on DNS information as under Verified Federation. This combination results in an encrypted connection with weak identity verification.</p></li>
<li><p>Trusted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) and the peer presents a digital certificate issued by a trusted root certification authority (CA). The list of trusted root CAs is determined by local service policy, as is the level of trust accorded to various types of certificates (i.e., Class 1, Class 2, or Class 3). The use of trusted domain certificates effectively prevents DNS poisoning attacks and results in mutual authentication.</p></li>
<li><p>Verified Federation -- a server accepts a connection from a peer only after the identity of the peer has been weakly verified based on information obtained via the Domain Name System (DNS). However, the connection is not encrypted or authenticated. The use of identity verification effectively prevents domain spoofing, but federation requires proper DNS setup and is still subject to DNS poisoning attacks.</p></li>
<li><p>Encrypted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) as defined for XMPP in <cite>RFC 3920</cite> and the peer presents a digital certificate. However, the certificate can be self-signed, in which case mutual authentication is typically not possible. Therefore, after STARTTLS negotiation the parties proceed to weakly verify identity based on DNS information as under Verified Federation. This combination results in an encrypted connection with weak identity verification.</p></li>
<li><p>Trusted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) and the peer presents a digital certificate issued by a trusted root certificate authority (CA). The list of trusted root CAs is determined by local service policy, as is the level of trust accorded to various types of certificates (e.g., Class 1, Class 2, or Class 3). The use of trusted domain certificates effectively prevents DNS poisoning attacks and results in mutual authentication.</p></li>
</ol>
<p>This specification documents the technology that enabled the Jabber server network to advance beyond Permissive Federation to Verified Federation. Combined with the use of TLS, Server Dialback can also result in Encrypted Federation. However, Trusted Federation is not possible with Server Dialback.</p>
<p>Note: For detailed examples showing the protocol flows and outcomes of dialback negotiation for a wide variety of federation scenarios, refer to &xep0238;.</p>
@ -86,32 +93,32 @@
<p>Server Dialback is typically used in two scenarios:</p>
<ol start='1'>
<li><p>When a peer service does not support XMPP 1.0 as defined in <cite>RFC 3920</cite> or, more generally, does not offer negotiation of TLS.</p></li>
<li><p>When STARTTLS negotiation succeeds with a peer service but the peer's certificate is not strong enough to result in mutual authentication via SASL (e.g., because the certificate presented by the peer service during TLS negotiation is self-signed and and local service policies stipulate that it is preferable to weakly identify the peer service via Server Dialback rather than depend on the self-signed certificate for identity verification).</p></li>
<li><p>When STARTTLS negotiation succeeds with a peer service but the peer's certificate is not strong enough to result in mutual authentication via SASL (e.g., because the certificate presented by the peer service during TLS negotiation is self-signed and local service policies stipulate that it is preferable to weakly identify the peer service via Server Dialback rather than depend on the self-signed certificate for identity verification).</p></li>
</ol>
<p>Both of these scenarios result in an untrusted connection (verified federation in the first scenario and encrypted federation in the second scenario). However, depending on local security policies, a server may accept such an untrusted connection if the use of Server Dialback results in weak identity verification.</p>
<p>Both of these scenarios result in an untrusted connection (verified federation in the first scenario and encrypted federation in the second scenario). However, depending on local security policies, a server might accept such an untrusted connection if the use of Server Dialback results in weak identity verification.</p>
<p>Dialback is not used if SASL is used for server-to-server authentication, since SASL provides strong authentication using certificates, pre-established passwords, or other credentials.</p>
<p>A service cannot begin negotiation of Server Dialback unless its peer advertises support for the Server Dialback protocol. As described under <link url='o2r-processinitial'>Receiving Server Processes Initial Stream Header</link>, a peer advertises support through inclusion of the Server Dialback namespace declaration in its response stream header and (for XMPP 1.0 servers) through inclusion of the Server Dialback stream feature.</p>
<p>A service cannot begin negotiation of Server Dialback unless its peer advertises support for the Server Dialback protocol. As described under <link url='#o2r-processinitial'>Receiving Server Processes Initial Stream Header</link>, a peer advertises support through inclusion of the Server Dialback namespace declaration in its response stream header and (for XMPP 1.0 servers) through inclusion of the Server Dialback stream feature.</p>
</section2>
<section2 topic="How Dialback Works" anchor="intro-howitworks">
<p>The basic idea behind Server Dialback is that a receiving server does not accept XMPP traffic from a sending server until it has "called back" the authoritative server for the domain asserted by the sending server, and verified that the sending server is truly authorized to generate XMPP traffic for that domain.</p>
<p>A helpful analogy might be the following telephone scenario:</p>
<ol start='1'>
<li>A customer service representative from your bank calls you on the phone.</li>
<li>Rather than immediately accepting the phone call, you ask for his employee ID number and put him on hold.</li>
<li>You open the phone book, find the authoritative phone number for the bank's headquarters, and give them a call.</li>
<li>After being transferred to the customer service department, you ask if a rep with that particular ID number is authorized to be calling your number.</li>
<li>The bank tells you that the rep is authorized, so you thank them and hang up.</li>
<li>You then take the rep off hold and continue the conversation.</li>
<li>A representative from your electric utility company knocks on your front door and says he needs to enter your house.</li>
<li>Rather than letting him in, you ask for his employee ID number and politely close the door for a few moments.</li>
<li>You open the phone book, find the authoritative phone number for the utility company's headquarters, and call them on the phone.</li>
<li>After being transferred to the customer service department, you ask if a rep with that particular ID number is authorized to be visiting your house.</li>
<li>The company tells you that the rep is authorized, so you thank them and hang up.</li>
<li>You then reopen the front door and allow the rep to enter your house.</li>
</ol>
<p>In Server Dialback, the equivalent of the customer service representative is the ORIGINATING SERVER, i.e., the machine that wants to send a message to an entity at a destination domain and thus is attempting to establish a connection between the two servers. The equivalent of the person being called is the RECEIVING SERVER, i.e., the machine to which the originating server has opened a connection for the purpose of sending the message and thus is trying to authenticate that the Originating Server represents the domain which it claims to be. And the equivalent of the bank is the AUTHORITATIVE SERVER, i.e., the machine that answers to a DNS lookup for the domain asserted by the originating server (which is not necessarily the machine associated with the originating server); for basic environments this will be the Originating Server, but it could be a separate machine in the Originating Server's network (where "network" is defined by knowledge of a shared secret for verification of dialback keys).</p>
<p>In Server Dialback, the equivalent of the utility company representative is the ORIGINATING SERVER, i.e., the machine that wants to send a message to an entity at a destination domain and thus is attempting to establish a connection between the two servers. The equivalent of the person at the house is the RECEIVING SERVER, i.e., the machine to which the originating server has opened a connection for the purpose of sending the message and thus is trying to authenticate that the Originating Server represents the domain which it claims to be. And the equivalent of the company headquarters is the AUTHORITATIVE SERVER, i.e., the machine that answers to a DNS lookup for the domain asserted by the originating server (which is not necessarily the machine associated with the originating server); for basic environments this will be the Originating Server, but it could be a separate machine in the Originating Server's network (where "network" is defined by knowledge of a shared secret for verification of dialback keys).</p>
<p>The basic flow of events in Server Dialback is as follows:</p>
<ol start='1'>
<li>The Originating Server performs a DNS lookup on the hostname of the Receiving Server, opens a TCP connection to the discovered IP address and port, and establishes an XML stream with the Receiving Server.</li>
<li>The Originating Server generates a dialback key and sends that value over its XML stream with the Receiving Server.</li>
<li>The Receiving Server does not immediately accept the connection but instead performs a DNS lookup on the hostname of the Authoritative Server, opens a TCP connection to the discovered IP address and port, and establishes an XML stream with the Authoritative Server.</li>
<li>The Receiving Server sends the same dialback key over its XML stream with the Authoritative Server for verification.</li>
<li>The Authoritative Server replies that key is valid or invalid.</li>
<li>The Authoritative Server replies that the key is valid or invalid.</li>
<li>The Receiving Server informs the Originating Server whether its identify has been verified or not.</li>
</ol>
<p>We can represent this flow of events graphically as follows.</p>
@ -143,7 +150,7 @@ Originating Receiving
| <---------------------- |
| |
]]></code>
<p>Note: In Steps 1 and 3, it is not always necessary to open a new TCP connection and establish a new stream; for details, see the section on <link url='#piggybacking'>Reuse of Negotiated Connections (Piggybacking)</link>.</p>
<p>Note: In Steps 1 and 3, it is not always necessary to open a new TCP connection and establish a new stream; for details, see the section on <link url='#piggybacking'>Reuse of Negotiated Connections (&quot;Piggybacking&quot;)</link>.</p>
</section2>
</section1>
@ -172,19 +179,19 @@ Originating Receiving
<section2 topic='Stream Setup Between Originating Server and Receiving Server' anchor='o2r'>
<section3 topic='Originating Server Resolves Receiving Server' anchor='o2r-resolve'>
<p>Before opening a TCP connection to the Receiving Server, the Originating Server must first determine the appropriate IP address and port at which to connect. This is done by resolving the Receiving Server's hostname ("xmpp.example.com") using the Domain Name System. As described in <cite>XMPP Core</cite>, the Originating Server shall first attempt to resolve a TCP service of _xmpp-server for that hostname using DNS SRV records. Here we assume that example.com has the following records in its DNS configuration:</p>
<p>Before opening a TCP connection to the Receiving Server, the Originating Server first needs to determine the appropriate IP address and port at which to connect. This is done by resolving the Receiving Server's hostname ("xmpp.example.com") using the Domain Name System. As described in <cite>XMPP Core</cite>, the Originating Server will first attempt to resolve a TCP service of _xmpp-server for that hostname using DNS SRV records. Here we assume that example.com has the following records in its DNS configuration:</p>
<example caption="DNS SRV Record for Receiving Server"><![CDATA[
_xmpp-server._tcp.xmpp.example.com. 86400 IN SRV 10 0 5269 x1.example.com
_xmpp-server._tcp.xmpp.example.com. 86400 IN SRV 20 0 9625 x2.example.com
]]></example>
<p>These records show that server-to-server connections for the XMPP service "xmpp.example.com" are serviced by two machines: x1.example.com at port 5269 and x2.example.com at port 9625.</p>
<p>The Originating Server would then choose one of these machines to resolve further. Here we assume that the Originating Server chooses x2.example.com and that a standard A lookup for x2.example.com yields an IP address of "192.0.2.2".</p>
<p>Note: As described in <cite>XMPP Core</cite>, if the Receiving Server does not provide appropriate DNS SRV records then in order to resolve the hostname of the Receiving Server the Originating Server may fall back to normal IPv4/IPv6 address record resolution to determine the IP address and assume a port of 5269 as registered with the IANA.</p>
<p>Based on the SRV record weights, the Originating Server would then attempt to resolve one of these machines further. Here the Originating Server resolves x2.example.com, for which a standard A lookup yields an IP address of "192.0.2.2".</p>
<p>Note: As described in <cite>XMPP Core</cite>, if the Receiving Server does not provide appropriate DNS SRV records then in order to resolve the hostname of the Receiving Server the Originating Server can fall back to normal IPv4/IPv6 address record resolution to determine the IP address and assume a port of 5269 as registered with the IANA.</p>
</section3>
<section3 topic='Originating Server Opens TCP Connection' anchor='o2r-connect'>
<p>Once the Originating Server has resolved "xmpp.example.com" to an IP address of 192.0.2.2 and port of 9625, it opens a TCP connection to that IP and port.</p>
<p>Note: Instead of opening a new TCP connection to the Receiving Server, the Originating Server MAY reuse an existing TCP connnection; for details, see the <link url='piggybacking'>Reuse of Negotiated Connections (Piggybacking)</link> section of this document.</p>
<p>Note: Instead of opening a new TCP connection to the Receiving Server, the Originating Server MAY reuse an existing TCP connnection; for details, see the <link url='#piggybacking'>Reuse of Negotiated Connections (&quot;Piggybacking&quot;)</link> section of this document.</p>
</section3>
<section3 topic='Originating Server Sends Initial Stream Header' anchor='o2r-sendinitial'>
@ -205,6 +212,7 @@ O2R: <stream:stream
<li>The prefix for the Server Dialback namespace SHOULD be 'db:'.</li>
</ol>
<p>Until the initial stream has been validated, the Originating Server MUST NOT send any further XML data to the Receiving Server over that stream.</p>
<p>Note: If the Receiving Server receives any XML stanzas from the Originating Server before the initial stream has been validated, the Receiving Server MUST silently drop those stanzas.</p>
</section3>
<section3 topic='Receiving Server Processes Initial Stream Header' anchor='o2r-processinitial'>
@ -227,7 +235,7 @@ R2O: <stream:stream
<li>If the initial stream header did not include a Server Dialback namespace declaration and the Receiving Server supports the Server Dialback protocol, the response stream header MAY include a Server Dialback namespace declaration.</li>
<li>If the response stream header includes a Server Dialback namespace declaration, the Server Dialback namespace MUST be 'jabber:server:dialback' and the prefix for the Server Dialback namespace SHOULD be 'db:'.</li>
</ol>
<p>After sending the response stream header, the Receiving Server shall also send stream features to the Originating Server. The Receiving Server SHOULD include the dialback feature in its initial stream features advertisement, including an indication of whether Server Dialback negotiation is optional or required.</p>
<p>After sending the response stream header, the Receiving Server also sends stream features to the Originating Server. The Receiving Server SHOULD include the dialback feature in its initial stream features advertisement, including an indication of whether Server Dialback negotiation is optional or required.</p>
<example caption="Stream Features"><![CDATA[
R2O: <stream:features>
<dialback xmlns='urn:xmpp:features:dialback'>
@ -235,17 +243,17 @@ R2O: <stream:features>
</dialback>
</stream:features>
]]></example>
<p>Note: If the Receiving Server receives any XML stanzas from the Originating Server before the initial stream has been validated, the Receiving Server MUST silently drop those stanzas.</p>
<p>Note: Typically, Server Dialback negotiation is required for server-to-server communication unless SASL is used for strong authentication.</p>
</section4>
<section4 topic='Error Cases' anchor='o2r-processinitial-error'>
<p>There are several reasons why processing of the initial stream header might fail:</p>
<p>There are several reasons why the Receiving Server's processing of the initial stream header might fail:</p>
<ol start='1'>
<li>The Server Dialback namespace name provided by the Originating Server is incorrect.</li>
<li>The Server Dialback namespace prefix provided by the Originating Server is not supported by the Receiving Server (note: an implementation MAY accept only the 'db:' namespace prefix).</li>
<li>The value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server.</li>
<li>The Receiving Server does not accept communication with the hostname of the 'from' address provided by the Originating Server.</li>
</ol>
<p>These error cases are described more fully in the rest of this section.</p>
<p>These error cases are described more fully in the remainder of this section.</p>
<p>If the Server Dialback namespace name is incorrect, then the Receiving Server SHOULD generate an &lt;invalid-namespace/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Invalid Namespace"><![CDATA[
R2O: <stream:error>
@ -282,7 +290,7 @@ R2O: <stream:error>
R2O: </stream:stream>
]]></example>
<p>Note: The foregoing error flows specify that the Receiving Server SHOULD return a stream error. However, depending on local security policies, the Receiving Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
<p class='box'>Note Well: The foregoing error flows specify that the Receiving Server SHOULD return a stream error. However, depending on local security policies, the Receiving Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
</section4>
</section3>
@ -291,11 +299,11 @@ R2O: </stream:stream>
<p>When the Originating Server receives the response stream header from the Receiving Server, it MUST proceed as follows.</p>
<section4 topic='Success Case' anchor='o2r-processresponse-success'>
<p>If the response stream header can be successfully processed, the Originating Server MUST generate and send a dialback key as described under <link url='key'>Generation and Exchange of Dialback Key</link>.</p>
<p>If the response stream header can be successfully processed, the Originating Server MUST generate and send a dialback key as described under <link url='#key'>Generation and Exchange of Dialback Key</link>.</p>
</section4>
<section4 topic='Error Cases' anchor='o2r-response-error'>
<p>There are several reasons why processing of the response stream header and stream features might fail:</p>
<p>There are several reasons why the Originating Server's processing of the response stream header and stream features might fail:</p>
<ol start='1'>
<li>The Server Dialback namespace name provided by the Receiving Server is incorrect.</li>
<li>The Server Dialback namespace prefix provided by the Receiving Server is not supported by the Originating Server (note: an implementation MAY accept only the 'db:' namespace prefix).</li>
@ -303,7 +311,7 @@ R2O: </stream:stream>
<li>The Originating Server does not accept communication with the hostname of the 'from' address provided by the Receiving Server.</li>
<li>The Receiving Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature.</li>
</ol>
<p>These error cases are described more fully in the rest of this section.</p>
<p>These error cases are described more fully in the remainder of this section.</p>
<p>If the Server Dialback namespace name is incorrect, then the Originating Server SHOULD generate an &lt;invalid-namespace/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Invalid Namespace"><![CDATA[
O2R: <stream:error>
@ -340,8 +348,9 @@ O2R: <stream:error>
O2R: </stream:stream>
]]></example>
<p>Note: The foregoing error flows specify that the Originating Server SHOULD return a stream error. However, depending on local security policies, the Originating Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
<p>If the Receiving Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature, then the Originating Server's attempt to negotiate Server Dialback fails and the Originating Server SHOULD return a &timeout; stanza error to the local entity that generated the stanza that triggered the Server Dialback attempt in the first place (if any).</p>
<p class='box'>Note Well: The foregoing error flows specify that the Originating Server SHOULD return a stream error. However, depending on local security policies, the Originating Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
<p>If the Receiving Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature, then the Originating Server's attempt to negotiate Server Dialback also fails.</p>
<p class='box'>Note Well: In all of the foregoing error cases, the Originating Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &timeout; stanza error to the local entity that generated the stanza that triggered the Server Dialback negotiation attempt in the first place (if any).</p>
</section4>
</section3>
@ -416,35 +425,49 @@ O2R: <db:result
<section3 topic='Receiving Server Processes Dialback Key' anchor='key-process'>
<p>When the Receiving Server receives the dialback key, it MUST proceed as follows.</p>
<p>If the Server Dialback namespace prefix is not supported by the Originating Server, then the Originating Server SHOULD generate a &lt;bad-namespace-prefix/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Bad Namespace Prefix"><![CDATA[
O2R: <stream:error>
<section4 topic='Success Case' anchor='key-process-success'>
<p>If the dialback key can be successfully processed, the Receiving Server MUST attempt to open a connection to the Authoritative Server and then ask the Authoritative Server to validate the key provided by the Originating Server, as described in under <link url='#r2a'>Stream Setup Between Receiving Server and Authoritative Server</link>.</p>
<p>Note: The dialback key is not examined by the Receiving Server, since the key is validated by the Authoritative Server.</p>
</section4>
<section4 topic='Error Cases' anchor='key-process-error'>
<p>There are several reasons why the Receiving Server's processing of the dialback key might fail:</p>
<ol start='1'>
<li>The Server Dialback namespace prefix provided by the Originating Server is not supported by the Receiving Server (note: an implementation MAY accept only the 'db:' namespace prefix).</li>
<li>The value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server.</li>
<li>The Receiving Server does not accept communication with the hostname of the 'from' address provided by the Originating Server.</li>
</ol>
<p>These error cases are described more fully in the remainder of this section.</p>
<p>If the Server Dialback namespace prefix is not supported by the Receiving Server, then the Receiving Server SHOULD generate a &lt;bad-namespace-prefix/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Bad Namespace Prefix"><![CDATA[
R2O: <stream:error>
<bad-namespace-prefix
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
O2R: </stream:stream>
]]></example>
<p>If the value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server, then the Receiving Server SHOULD generate a &lt;host-unknown/&gt; or &lt;host-gone/&gt; stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Host Unknown"><![CDATA[
O2R: <stream:error>
R2O: </stream:stream>
]]></example>
<p>If the value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server, then the Receiving Server SHOULD generate a &lt;host-unknown/&gt; or &lt;host-gone/&gt; stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Host Unknown"><![CDATA[
R2O: <stream:error>
<host-unknown
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
O2R: </stream:stream>
R2O: </stream:stream>
]]></example>
<p>If the Originating Server does not allow communication with the hostname of the 'from' address provided by the Receiving Server, then the Originating Server SHOULD generate a &lt;not-authorized/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Not Authorized"><![CDATA[
O2R: <stream:error>
<p>If the Receiving Server does not allow communication with the hostname of the 'from' address provided by the Originating Server, then the Receiving Server SHOULD generate a &lt;not-authorized/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Not Authorized"><![CDATA[
R2O: <stream:error>
<not-authorized
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
O2R: </stream:stream>
]]></example>
<p>Otherwise, the Receiving Server MUST attempt to open a connection to the Authoritative Server and then ask the Authoritative Server to validate the key provided by the Originating Server, as described in the following sections.</p>
<p>Note: The dialback key is not examined by the Receiving Server, since the key is validated by the Authoritative Server.</p>
R2O: </stream:stream>
]]></example>
<p class='box'>Note Well: In all of the foregoing error cases, the Originating Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &timeout; stanza error to the local entity that generated the stanza that triggered the Server Dialback negotiation attempt in the first place (if any).</p>
</section4>
</section3>
</section2>
@ -452,18 +475,18 @@ O2R: </stream:stream>
<section2 topic='Stream Setup Between Receiving Server and Authoritative Server' anchor='r2a'>
<section3 topic='Receiving Server Resolves Authoritative Server' anchor='r2a-resolve'>
<p>Before opening a TCP connection to the Authoritative Server, the Receiving Server must first determine the appropriate IP address and port at which to connect. This is done by resolving the Authoritative Server's hostname ("example.org") using the Domain Name System. As described in <cite>XMPP Core</cite>, the Receiving Server shall first attempt to resolve a TCP service of _xmpp-server for that hostname using DNS SRV records. Here we assume that example.org has the following records in its DNS configuration:</p>
<p>Before opening a TCP connection to the Authoritative Server, the Receiving Server first needs to determine the appropriate IP address and port at which to connect. This is done by resolving the Authoritative Server's hostname ("example.org") using the Domain Name System. As described in <cite>XMPP Core</cite>, the Receiving Server will first attempt to resolve a TCP service of _xmpp-server for that hostname using DNS SRV records. Here we assume that example.org has the following records in its DNS configuration:</p>
<example caption="DNS SRV Record for Authoritative Server"><![CDATA[
_xmpp-server._tcp.example.org. 86400 IN SRV 10 0 5269 foo.example.org
]]></example>
<p>These records show that server-to-server connections for the XMPP service "example.org" are serviced by the physical machine foo.example.org at port 5269.</p>
<p>The Receiving Server would then resolve that machine to an IP address, in this case "192.0.2.23".</p>
<p>Note: As described in <cite>XMPP Core</cite>, if the Authoritative Server does not provide appropriate DNS SRV records then in order to resolve the hostname of the Authoritative Server the Receiving Server may fall back to normal IPv4/IPv6 address record resolution to determine the IP address and assume a port of 5269 as registered with the IANA.</p>
<p>Note: As described in <cite>XMPP Core</cite>, if the Authoritative Server does not provide appropriate DNS SRV records then in order to resolve the hostname of the Authoritative Server the Receiving Server can fall back to normal IPv4/IPv6 address record resolution to determine the IP address and assume a port of 5269 as registered with the IANA.</p>
</section3>
<section3 topic='Receiving Server Opens TCP Connection' anchor='r2a-connect'>
<p>Once the Receiving Server has resolved "example.org" to an IP address of 192.0.2.23 and port of 5269, it opens a TCP connection to that IP and port.</p>
<p>Note: Instead of opening a new TCP connection to the Authoritative Server, the Receiving Server MAY reuse an existing TCP connnection; for details, see the <link url='piggybacking'>Reuse of Negotiated Connections (Piggybacking)</link> section of this document.</p>
<p>Note: Instead of opening a new TCP connection to the Authoritative Server, the Receiving Server MAY reuse an existing TCP connnection; for details, see the <link url='#piggybacking'>Reuse of Negotiated Connections (&quot;Piggybacking&quot;)</link> section of this document.</p>
</section3>
<section3 topic='Receiving Server Sends Initial Stream Header' anchor='r2a-sendinitial'>
@ -506,7 +529,7 @@ A2R: <stream:stream
<li>If the initial stream header did not include a Server Dialback namespace declaration and the Authoritative Server supports the Server Dialback protocol, the response stream header MAY include a Server Dialback namespace declaration.</li>
<li>If the response stream header includes a Server Dialback namespace declaration, the Server Dialback namespace MUST be 'jabber:server:dialback' and the prefix for the Server Dialback namespace SHOULD be 'db:'.</li>
</ol>
<p>After sending the response stream header, the Authoritative Server shall also send stream features to the Receiving Server. The Authoritative Server SHOULD include the dialback feature in its initial stream features advertisement, including an indication of whether Server Dialback negotiation is optional or required.</p>
<p>After sending the response stream header, the Authoritative Server also sends stream features to the Receiving Server. The Authoritative Server SHOULD include the dialback feature in its initial stream features advertisement, including an indication of whether Server Dialback negotiation is optional or required.</p>
<example caption="Stream Features"><![CDATA[
A2R: <stream:features>
<dialback xmlns='urn:xmpp:features:dialback'>
@ -516,7 +539,7 @@ A2R: <stream:features>
]]></example>
</section4>
<section4 topic='Error Cases' anchor='r2a-processinitial-error'>
<p>There are several reasons why processing of the initial stream header might fail:</p>
<p>There are several reasons why the Authoritative Server's processing of the initial stream header might fail:</p>
<ol start='1'>
<li>The Server Dialback namespace name provided by the Receiving Server is incorrect.</li>
<li>The Server Dialback namespace prefix provided by the Receiving Server is not supported by the Authoritative Server (note: an implementation MAY accept only the 'db:' namespace prefix).</li>
@ -524,6 +547,9 @@ A2R: <stream:features>
<li>The Authoritative Server does not accept communication with the hostname of the 'from' address provided by the Receiving Server.</li>
</ol>
<p>These error cases are described more fully in the remainder of this section.</p>
<p class='box'>Note Well: If </p>
<p>If the Server Dialback namespace name is incorrect, then the Authoritative Server SHOULD generate an &lt;invalid-namespace/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Invalid Namespace"><![CDATA[
A2R: <stream:error>
@ -560,7 +586,7 @@ A2R: <stream:error>
A2R: </stream:stream>
]]></example>
<p>Note: The foregoing error flows specify that the Authoritative Server SHOULD return a stream error. However, depending on local security policies, the Authoritative Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
<p class='box'>Note Well: The foregoing error flows specify that the Authoritative Server SHOULD return a stream error. However, depending on local security policies, the Authoritative Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
</section4>
</section3>
@ -569,11 +595,11 @@ A2R: </stream:stream>
<p>When the Receiving Server receives the response stream header from the Authoritative Server, it MUST proceed as follows.</p>
<section4 topic='Success Case' anchor='r2a-processresponse-success'>
<p>If the response stream header can be successfully processed, the Receiving Server MUST send the dialback key it received from the Originating Server as described under <link url='verify'>Exchange of Verification Request between Receiving Server and Authoritative Server</link>.</p>
<p>If the response stream header can be successfully processed, the Receiving Server MUST send the dialback key it received from the Originating Server as described under <link url='#verify'>Exchange of Verification Request between Receiving Server and Authoritative Server</link>.</p>
</section4>
<section4 topic='Error Cases' anchor='r2a-response-error'>
<p>There are several reasons why processing of the response stream header and stream features might fail:</p>
<p>There are several reasons why the Receiving Server's processing of the response stream header and stream features might fail:</p>
<ol start='1'>
<li>The Server Dialback namespace name provided by the Authoritative Server is incorrect.</li>
<li>The Server Dialback namespace prefix provided by the Authoritative Server is not supported by the Receiving Server (note: an implementation MAY accept only the 'db:' namespace prefix).</li>
@ -618,8 +644,17 @@ R2A: <stream:error>
R2A: </stream:stream>
]]></example>
<p>Note: The foregoing error flows specify that the Receiving Server SHOULD return a stream error. However, depending on local security policies, the Receiving Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
<p>If the Authoritative Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature, then the Receiving Server's attempt to request verification of the Originating Server's dialback key fails and the Receiving Server MUST return a &remoteconnection; stream error to the Originating Server.</p>
<p class='box'>Note Well: The foregoing error flows specify that the Receiving Server SHOULD return a stream error. However, depending on local security policies, the Receiving Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).</p>
<p>If the Authoritative Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature, then the Receiving Server's attempt to request verification of the Originating Server's dialback key also fails.</p>
<p>Note: In all of the foregoing error cases, the Receiving Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &remoteconnection; stream error to the Originating Server.</p>
<example caption="Remote Server Timeout"><![CDATA[
R2O: <stream:error>
<remote-server-timeout
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
R2O: </stream:stream>
]]></example>
</section4>
</section3>
@ -643,11 +678,11 @@ R2A: <db:verify
<section3 topic='Authoritative Server Processes Verification Request' anchor='verify-process'>
<section4 topic='Success Case' anchor='verify-process-success'>
<p>If the verification request can be successfully processed, the Authoritative Server MUST validate the dialback key it received from the Receiving Server as described under <link url='validate'>Validation of Dialback Key by Authoritative Server</link>.</p>
<p>If the verification request can be successfully processed, the Authoritative Server MUST validate the dialback key it received from the Receiving Server as described under <link url='#validate'>Validation of Dialback Key by Authoritative Server</link>.</p>
</section4>
<section4 topic='Error Cases' anchor='verify-process-error'>
<p>There are several reasons why processing of the verification request might fail:</p>
<p>There are several reasons why the Authoritative Server's processing of the verification request might fail:</p>
<ol start='1'>
<li>The value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Authoritative Server's network.</li>
<li>The value of the 'from' address provided by the Receiving Server does not match the hostname sent by the Receiving Server in the 'from' address of the initial stream header it sent to the Authoritative Server.</li>
@ -655,21 +690,30 @@ R2A: <db:verify
<p>These error cases are described more fully in the remainder of this section.</p>
<p>If the value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Authoritative Server's network, then the Authoritative Server MUST generate a &lt;host-unknown/&gt; or &lt;host-gone/&gt; stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Host Unknown"><![CDATA[
R2A: <stream:error>
A2R: <stream:error>
<host-unknown
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
R2A: </stream:stream>
A2R: </stream:stream>
]]></example>
<p>If the value of the 'from' address provided by the Receiving Server does not match the hostname sent by the Receiving Server in the 'from' address of the initial stream header it sent to the Authoritative Server, then the Authoritative Server MUST generate an &lt;invalid-from/&gt; stream error condition and terminate both the XML stream and the underlying TCP connection.</p>
<example caption="Invalid From"><![CDATA[
R2A: <stream:error>
A2R: <stream:error>
<invalid-from
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
R2A: </stream:stream>
A2R: </stream:stream>
]]></example>
<p>Note: In all of the foregoing error cases, the Receiving Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &remoteconnection; stream error to the Originating Server.</p>
<example caption="Remote Server Timeout"><![CDATA[
R2O: <stream:error>
<remote-server-timeout
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
R2O: </stream:stream>
]]></example>
</section4>
@ -681,8 +725,8 @@ R2A: </stream:stream>
<section3 topic='Authoritative Server Determines Validity of Dialback Key' anchor='validate-determine'>
<p>If the Authoritative Server can successfully process the verification request, it MUST determine whether the key is valid or invalid.</p>
<p>The key shall be considered <em>valid</em> if the Authoritative Server determines that the key matches the output it would have produced using its key generation algorithm with the inputs specified in the XML attributes of the verification request along with its shared secret.</p>
<p>The key shall be considered <em>invalid</em> if the Authoritative Server determines that the key does not match the output it would have produced using its key generation algorithm with the inputs specified in the XML attributes of the verification request along with its shared secret.</p>
<p>The key shall be considered <strong>valid</strong> if the Authoritative Server determines that the key matches the output it would have produced using its key generation algorithm with the inputs specified in the XML attributes of the verification request along with its shared secret.</p>
<p>The key shall be considered <strong>invalid</strong> if the Authoritative Server determines that the key does not match the output it would have produced using its key generation algorithm with the inputs specified in the XML attributes of the verification request along with its shared secret.</p>
</section3>
<section3 topic='Authoritative Server Sends Validation Result' anchor='validate-send'>
@ -711,11 +755,11 @@ A2R: <db:verify
<section3 topic='Receiving Server Processes Validation Result' anchor='validate-process'>
<section4 topic='Success Case' anchor='validate-process-success'>
<p>If the validation result can be successfully processed, the Receiving Server MUST inform the Originating Server of the Server Dialback results described under <link url='result'>Communication of Result from Receiving Server to Originating Server</link>. The Receiving Server then SHOULD also terminate the XML stream and the underlying TCP connection between the Receiving Server and the Authoritative Server.</p>
<p>If the validation result can be successfully processed, the Receiving Server MUST inform the Originating Server of the Server Dialback results described under <link url='#result'>Communication of Result from Receiving Server to Originating Server</link>. The Receiving Server then SHOULD also terminate the XML stream and the underlying TCP connection between the Receiving Server and the Authoritative Server.</p>
</section4>
<section4 topic='Error Cases' anchor='validate-process-error'>
<p>There are several reasons why processing of the validation result might fail:</p>
<p>There are several reasons why the Receiving Server's processing of the validation result might fail:</p>
<ol start='1'>
<li>The value of the 'id' attribute does not match that provided by the Receiving Server in the verification request.</li>
<li>The value of the 'from' address does not match the hostname represented by the Originating Server in the 'from' address of the initial stream header it sent to the Receiving Server.</li>
@ -749,6 +793,15 @@ R2A: <stream:error>
R2A: </stream:stream>
]]></example>
<p>Note: In all of the foregoing error cases, the Receiving Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &remoteconnection; stream error to the Originating Server.</p>
<example caption="Remote Server Timeout"><![CDATA[
R2O: <stream:error>
<remote-server-timeout
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
R2O: </stream:stream>
]]></example>
</section4>
</section3>
@ -776,9 +829,9 @@ R2O: <db:result
</section4>
<section4 topic='Valid Connection' anchor='result-handle-valid'>
<p>If the Authoritative Server reported the dialback key as valid, the Receiving Server has verified the identity of the Originating Server. As a result, the Receiving Server may now accept XML stanzas from the Originating Server over the validated connection (i.e., over the "initial stream" from the Originating Server to the Receiving Server). However, in accordance with <cite>XMPP Core</cite>, the Receiving Server MUST follow the rules specified therein regarding inclusion and checking of 'from' and 'to' attributes on all XML stanzas it receives from the Originating Server. These checks help to prevent address spoofing.</p>
<p>Note: If the Receiving Server receives any XML stanzas from the Originating Server before the initial stream has been validated, the Receiving Server MUST silently drop those stanzas.</p>
<p>As mentioned, Server Dialback results in weak identity verification in one direction only (in the foregoing text, verification of the Originating Server by the Receiving Server). In order to proceed with bi-directional communication so that the Receiving Server may send XML stanzas to the Originating Server, the Receiving Server MUST now also initiate a dialback negotiation with the Originating Server (i.e., assume the role of an originating server in a new dialback negotiation).</p>
<p>If the Authoritative Server reported the dialback key as valid, the Receiving Server has verified the identity of the Originating Server. As a result, the Receiving Server can now accept XML stanzas from the Originating Server over the validated connection (i.e., over the "initial stream" from the Originating Server to the Receiving Server). However, in accordance with <cite>XMPP Core</cite>, the Receiving Server MUST follow the rules specified therein regarding inclusion and checking of 'from' and 'to' attributes on all XML stanzas it receives from the Originating Server. These checks help to prevent address spoofing.</p>
<p class='box'>Note Well: If the Receiving Server receives any XML stanzas from the Originating Server before the initial stream has been validated, the Receiving Server MUST silently drop those stanzas.</p>
<p>As mentioned, Server Dialback results in weak identity verification in one direction only (in the foregoing text, verification of the Originating Server by the Receiving Server). In order to proceed with bi-directional communication so that the Receiving Server can send XML stanzas to the Originating Server, the Receiving Server MUST now also initiate a dialback negotiation with the Originating Server (i.e., assume the role of an originating server in a new dialback negotiation).</p>
</section4>
</section3>
@ -787,9 +840,9 @@ R2O: <db:result
</section1>
<section1 topic="Reuse of Negotiated Connections (Piggybacking)" anchor="piggybacking">
<p>After the Receiving Server has validated a connection from the Originating Server, the Originating Server may wish to reuse that connection for validation of additional domains. This feature is called PIGGYBACKING. Support for piggybacking is OPTIONAL.</p>
<p>One common motivation for such reuse is the existence of additional services associated with the Originating Server but hosted at subdomains of the Originating Server (the use of subdomains helps to ensure proper routing of XML stanzas to the hosted services). For example, the "example.org" XMPP server may host a groupchat service at "chat.example.org". In order to accept XML stanzas from rooms at "chat.example.org" intended for addresses at "xmpp.example.com", the "xmpp.example.com" domain will need to validate the "chat.example.org" domain (just as it already did for the "example.org" domain). Thus the "example.org" server would now initiate a dialback negotiation with "xmpp.example.com" but specify the Originating Server as "chat.example.org".</p>
<section1 topic="Reuse of Negotiated Connections (&quot;Piggybacking&quot;)" anchor="piggybacking">
<p>After the Receiving Server has validated a connection from the Originating Server, the Originating Server might wish to reuse that connection for validation of additional domains. This feature is called PIGGYBACKING. Support for piggybacking is OPTIONAL.</p>
<p>One common motivation for such reuse is the existence of additional services associated with the Originating Server but hosted at subdomains of the Originating Server (the use of subdomains helps to ensure proper routing of XML stanzas to the hosted services). For example, the "example.org" XMPP server might host a groupchat service at "chat.example.org". In order to accept XML stanzas from rooms at "chat.example.org" intended for addresses at "xmpp.example.com", the "xmpp.example.com" domain will need to validate the "chat.example.org" domain (just as it already did for the "example.org" domain). Thus the "example.org" server would now initiate a dialback negotiation with "xmpp.example.com" but specify the Originating Server as "chat.example.org".</p>
<p>However, because the "example.org" server already has a validated connection open to the Receiving Server ("xmpp.example.com"), it MAY send a &lt;db:result/&gt; element with the key to be validated for the new Originating Server ("chat.example.org") over the XML stream that has already been negotiated, rather than opening a new TCP connection and XML stream.</p>
<example caption="Piggybacked Key"><![CDATA[
O2R: <db:result
@ -817,6 +870,7 @@ R2O: <db:result
</db:result>
]]></example>
<p>Note: a &lt;db:result/&gt; element of type "error" MUST NOT be considered a stream error and therefore MUST NOT result in termination of the stream and the underlying TCP connection, which presumably is being used for sending XML stanzas from the Originating Server to the Receiving Server.</p>
<p class='box'>Note Well: Use of the "error" value was unspecified in <cite>RFC3920</cite>.</p>
</section1>
<section1 topic='Security Considerations' anchor='security'>
@ -877,7 +931,6 @@ R2O: <db:result
<xs:attribute name='type' use='optional'>
<xs:simpleType>
<xs:restriction base='xs:NCName'>
<xs:enumeration value='error'/>
<xs:enumeration value='invalid'/>
<xs:enumeration value='valid'/>
</xs:restriction>