diff --git a/xep-0223.xml b/xep-0223.xml index 49ee88a4..826f3558 100644 --- a/xep-0223.xml +++ b/xep-0223.xml @@ -25,6 +25,12 @@ N/A &stpeter; + + 1.1 + 2018-03-28 + jwi + Make discovery of support mandatory, add security considerations (in reaction to CVE-2018-6591). + 1.0 2008-09-08 @@ -211,7 +217,7 @@ -

Before an account owner attempts to complete any of the use cases defined herein, its client SHOULD verify that the account owner's server supports both PEP and the "publish-options" feature; to do so, it MUST send a &xep0030; information request to the server (or cache Entity Capabilities information received from the server).

+

Before an account owner attempts to complete any of the use cases defined herein, its client MUST verify that the account owner's server supports both PEP and the "publish-options" feature; to do so, it MUST send a &xep0030; information request to the server (or cache Entity Capabilities information received from the server).

-

This document introduces no security considerations above and beyond those specified in XEP-0060 and XEP-0163.

+

Since private data is to be stored in a mechanism originally intended to publish data, it is REQUIRED for entities to ensure that the restrictive <publish-options/> will actually be honored by the server by performing the feature discovery procedure as specified in Determining Support. If an entity using that procedure finds that the server does not support <publish-options/>, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.

+

The Security Considerations specified in XEP-0060 and XEP-0163 need to be taken into account.