Browse Source

XEP-0223: Add a warning about publish-options support

Jonas Wielicki 1 year ago
parent
commit
e18bb0387c
1 changed files with 9 additions and 2 deletions
  1. 9
    2
      xep-0223.xml

+ 9
- 2
xep-0223.xml View File

@@ -25,6 +25,12 @@
25 25
   <supersededby/>
26 26
   <shortname>N/A</shortname>
27 27
   &stpeter;
28
+  <revision>
29
+    <version>1.1</version>
30
+    <date>2018-03-28</date>
31
+    <initials>jwi</initials>
32
+    <remark>Make discovery of support mandatory, add security considerations (in reaction to CVE-2018-6591).</remark>
33
+  </revision>
28 34
   <revision>
29 35
     <version>1.0</version>
30 36
     <date>2008-09-08</date>
@@ -211,7 +217,7 @@
211 217
 </section1>
212 218
 
213 219
 <section1 topic='Determining Support' anchor='support'>
214
-  <p>Before an account owner attempts to complete any of the use cases defined herein, its client SHOULD verify that the account owner's server supports both PEP and the "publish-options" feature; to do so, it MUST send a &xep0030; information request to the server (or cache <cite>Entity Capabilities</cite> information received from the server).</p>
220
+  <p>Before an account owner attempts to complete any of the use cases defined herein, its client MUST verify that the account owner's server supports both PEP and the "publish-options" feature; to do so, it MUST send a &xep0030; information request to the server (or cache <cite>Entity Capabilities</cite> information received from the server).</p>
215 221
   <example caption='Account owner queries server regarding protocol support'><![CDATA[
216 222
 <iq from='juliet@capulet.lit/balcony'
217 223
     to='capulet.lit'
@@ -238,7 +244,8 @@
238 244
 </section1>
239 245
 
240 246
 <section1 topic='Security Considerations' anchor='security'>
241
-  <p>This document introduces no security considerations above and beyond those specified in <cite>XEP-0060</cite> and <cite>XEP-0163</cite>.</p>
247
+  <p>Since private data is to be stored in a mechanism originally intended to <em>publish</em> data, it is REQUIRED for entities to ensure that the restrictive &lt;publish-options/&gt; will actually be honored by the server by performing the feature discovery procedure as specified in <link url='#support'>Determining Support</link>. If an entity using that procedure finds that the server does not support &lt;publish-options/&gt;, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.</p>
248
+  <p>The Security Considerations specified in <cite>XEP-0060</cite> and <cite>XEP-0163</cite> need to be taken into account.</p>
242 249
 </section1>
243 250
 
244 251
 <section1 topic='IANA Considerations' anchor='iana'>

Loading…
Cancel
Save