From e18bb0387c3c13fe776ff6c96189bf41a0f12e62 Mon Sep 17 00:00:00 2001 From: Jonas Wielicki Date: Thu, 15 Mar 2018 08:50:33 +0100 Subject: [PATCH] XEP-0223: Add a warning about publish-options support --- xep-0223.xml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/xep-0223.xml b/xep-0223.xml index 49ee88a4..826f3558 100644 --- a/xep-0223.xml +++ b/xep-0223.xml @@ -25,6 +25,12 @@ N/A &stpeter; + + 1.1 + 2018-03-28 + jwi + Make discovery of support mandatory, add security considerations (in reaction to CVE-2018-6591). + 1.0 2008-09-08 @@ -211,7 +217,7 @@ -

Before an account owner attempts to complete any of the use cases defined herein, its client SHOULD verify that the account owner's server supports both PEP and the "publish-options" feature; to do so, it MUST send a &xep0030; information request to the server (or cache Entity Capabilities information received from the server).

+

Before an account owner attempts to complete any of the use cases defined herein, its client MUST verify that the account owner's server supports both PEP and the "publish-options" feature; to do so, it MUST send a &xep0030; information request to the server (or cache Entity Capabilities information received from the server).

-

This document introduces no security considerations above and beyond those specified in XEP-0060 and XEP-0163.

+

Since private data is to be stored in a mechanism originally intended to publish data, it is REQUIRED for entities to ensure that the restrictive <publish-options/> will actually be honored by the server by performing the feature discovery procedure as specified in Determining Support. If an entity using that procedure finds that the server does not support <publish-options/>, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.

+

The Security Considerations specified in XEP-0060 and XEP-0163 need to be taken into account.