diff --git a/xep-0373.xml b/xep-0373.xml index 4cad2eed..6d1add19 100644 --- a/xep-0373.xml +++ b/xep-0373.xml @@ -46,6 +46,17 @@ look@my.amazin.horse valodim@stratum0.org + + 0.6.0 + 2020-11-22 + fs + +

Fix 'to'-attribute requirements: All content elements which are signed using OpenPGP need + that attribute to prevent Surreptitious Forward Attacks. The &crypt; element does not require + one, as the intented recipient is established by the encryption itself. The XEP had the + requirements for &sign; and &crypt; mixed up.

+
+
0.5.0 2020-06-19 @@ -229,7 +240,7 @@ ]]>

OpenPGP content elements MUST possess exactly one 'time' - element as direct child elements. The &signcrypt; and &crypt; + element as direct child elements. The &signcrypt; and &sign; content elements MUST contain at least one 'to' element(s), which MUST have a 'jid' attribute containing the intended recipient's XMPP address of the signed and/or encrypted data to prevent @@ -241,7 +252,7 @@ (Ed.). Springer-Verlag, London, UK, UK, 83-107. <https://www.iacr.org/archive/eurocrypt2002/23320080/adr.pdf>. The XMPP address found in the 'to' element's 'jid' attribute - SHOULD be without Resourcepart (i.e., a bare JID). A &sign; content + SHOULD be without Resourcepart (i.e., a bare JID). A &crypt; content element may not carry a 'to' attribute. The 'time' element MUST have a 'stamp' attribute which contains the timestamp when the OpenPGP content element was signed and/or encrypted in the @@ -266,14 +277,14 @@ &sign; - MAY NOT contain one + MUST have at least one MUST have exactly one - NOT REQUIRED + OPTIONAL MUST have exactly one &crypt; - MUST have at least one + OPTIONAL MUST have exactly one SHOULD have exactly one MUST have exactly one