moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity

0.7 

git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@1810 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Peter Saint-Andre 2008-04-28 16:47:29 +00:00
parent bad0660beb
commit e444e64b78
1 changed files with 189 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

280
xep-0158.xml
View File

@ -25,6 +25,12 @@
<shortname>TO BE ASSIGNED</shortname>
&ianpaterson;
&stpeter;
<revision>
<version>0.7</version>
<date>2008-04-28</date>
<initials>psa</initials>
<remark><p>Generalized text to cover abuse rather than just spim; modified temporary namespace to adhere to XMPP Registrar procedures; added use case for joining multi-user chat rooms.</p></remark>
</revision>
<revision>
<version>0.6</version>
<date>2007-07-11</date>
@ -70,10 +76,10 @@
</header>
<section1 topic='Introduction' anchor='intro'>
<p>The appearance of large public IM services based on &rfc3920; and &rfc3921; makes it desirable to implement protocols that <em>discourage</em> the sending of large quantities of instant messaging spam (a.k.a. "spim"). Spim could be generated by XMPP clients connected to legitimate servers or by XMPP servers with virtual clients, where the malicious entities are hosted on networks of "zombie" machines. Spim is defined here as any type of unsolicited XMPP stanza sent by a "robot" and delivered to a human, including messages and subscription requests. Spim has the potential to disrupt people even more than spam, because each message interrupts the receiver (humans typically filter SPAM in batch mode).</p>
<p>Several of the most effective techniques developed to combat SPAM require humans to be differentiated from bots using a "Completely Automated Public Turing Test to Tell Computers and Humans Apart" or CAPTCHA (see &lt;<link url='http://www.captcha.net/'>http://www.captcha.net/</link>&gt;). These challenge techniques are easily adapted to discourage spim. The very occasional inconvenience of responding to a CAPTCHA (e.g., when creating an IM account or sending a message to a new correspondent) is small and perfectly acceptable -- especially when compared to the countless robot-generated interruptions people might otherwise have to filter every day.</p>
<p>The appearance of large public IM services based on &rfc3920; and &rfc3921; makes it desirable to implement protocols that <em>discourage</em> the sending of large quantities of instant messaging spam (a.k.a. "spim") or, in general, abusive traffic. Abusive stanzas could be generated by XMPP clients connected to legitimate servers or by XMPP servers with virtual clients, where the malicious entities are hosted on networks of "zombie" machines. Such abusive stanas could take many forms; a full taxonomy is outside the scope of this document.</p>
<p>Several of the most effective techniques developed to combat abusive messages and behavior via non-XMPP technologies require humans to be differentiated from bots using a "Completely Automated Public Turing Test to Tell Computers and Humans Apart" or CAPTCHA (see &lt;<link url='http://www.captcha.net/'>http://www.captcha.net/</link>&gt;). These challenge techniques are easily adapted to discourage XMPP abuse. The very occasional inconvenience of responding to a CAPTCHA (e.g., when creating an IM account or sending a message to a new correspondent) is small and perfectly acceptable -- especially when compared to the countless robot-generated interruptions people might otherwise have to filter every day.</p>
<p>An alternative technique to CAPTCHAs requires Desktop PC clients to undertake a <span class='ref'>Hashcash</span> <note>Hashcash &lt;<link url='http://hashcash.org/'>http://hashcash.org/</link>&gt;.</note> challenge. These are completely transparent to PC users. They require clients to perform specified CPU-intensive work, making it difficult to send large amounts of spim.</p>
<p>The generic challenge protocol described in this document is designed for incorporation into protocols such as &xep0077; and &xep0159;.</p>
<p>The generic challenge protocol described in this document is designed for incorporation into protocols such as &xep0077;, &xep0045;, and &xep0159;.</p>
</section1>
<section1 topic='Requirements' anchor='require'>
@ -100,54 +106,66 @@
</message>
]]></example>
<section3 topic='Challenge Stanza' anchor='protocol-challenge'>
<p>The challange consists of a message containing a form for the sender to fill out, formatted according to &xep0004;. Each of the challenge form's &lt;field/&gt; elements that are not hidden MAY contain a different challenge and any media required for the challenge (see &xep0221;). The hidden 'from' field MUST contain the value of the 'to' attribute of the sender's triggering stanza. If the stanza from the sender included an 'id' attribute then the hidden 'sid' field MUST be set to that value. The 'xml:lang' attribute of the challenge stanza SHOULD be the same as the one received from the sender. In accordance with &xep0068;, the hidden 'FORM_TYPE' field MUST have a value of "http://www.xmpp.org/extensions/xep-0158.html#ns" &NSNOTE;.</p>
<p>The challange consists of a message containing a form for the sender to fill out, formatted according to &xep0004;. Each of the challenge form's &lt;field/&gt; elements that are not hidden MAY contain a different challenge and any media required for the challenge (see &xep0221;). The hidden 'from' field MUST contain the value of the 'to' attribute of the sender's triggering stanza. If the stanza from the sender included an 'id' attribute then the hidden 'sid' field MUST be set to that value. The 'xml:lang' attribute of the challenge stanza SHOULD be the same as the one received from the sender. In accordance with &xep0068;, the hidden 'FORM_TYPE' field MUST have a value of "urn:xmpp:tmp:challenge" &NSNOTE;.</p>
<p>The challenger SHOULD include an explanation (in the &BODY; element) for clients that do not support this protocol. The challenger MAY also include a URL (typically a Web page with instructions) using &xep0066; as an alternative for clients that do not support the challenge form. Note: Even if it provides a URL, a challenger MUST always provide a challenge form. <note>A constrained client, like a mobile phone, cannot present a Web page to its user.</note></p>
<example caption='Challenge Offers a Choice of Challenges to Sender'><![CDATA[
<example caption='Challenger Offers a Choice of Challenges to Sender'><![CDATA[
<message from='victim.com'
to='robot@spimmer.com/zombie'
xml:lang='en'
id='F3A6292C'>
<body>
Your messages to innocent@example.com are being blocked. To unblock
Your messages to innocent@victim.com are being blocked. To unblock
them, visit http://www.victim.com/challenge.html?F3A6292C
</body>
<x xmlns='jabber:x:oob'>
<url>http://www.victim.com/challenge.html?F3A6292C</url>
</x>
<challenge xmlns='http://www.xmpp.org/extensions/xep-0158.html#ns'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='form'>
<field type='hidden' var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field type='hidden' var='from'><value>innocent@victim.com</value></field>
<field type='hidden' var='sid'><value>spam1</value></field>
<field var='ocr'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='80'
width='290'>
<uri type='image/jpeg'>http://www.victim.com/challenges/ocr.jpeg?F3A6292C</uri>
<data type='image/jpeg'> ** Base64 encoded image ** </data>
<uri type='image/jpeg'>
http://www.victim.com/challenges/ocr.jpeg?F3A6292C
</uri>
<data xmlns='urn:xmpp:tmp:data-element'
type='image/jpeg'> ** Base64 encoded image ** </data>
</media>
</field>
<field var='picture_recog'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='150'
width='150'>
<uri type='image/jpeg'>http://www.victim.com/challenges/picture.jpeg?F3A6292C</uri>
<data type='image/jpeg'> ** Base64 encoded image ** </data>
<uri type='image/jpeg'>
http://www.victim.com/challenges/picture.jpeg?F3A6292C
</uri>
<data xmlns='urn:xmpp:tmp:data-element'
type='image/jpeg'> ** Base64 encoded image ** </data>
</media>
</field>
<field var='speech_recog'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'>
<uri type='audio/x-wav'>http://www.victim.com/challenges/speech.wav?F3A6292C</uri>
<uri type='audio/ogg-speex'>http://www.victim.com/challenges/speech.ogg?F3A6292C</uri>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'>
<uri type='audio/x-wav'>
http://www.victim.com/challenges/speech.wav?F3A6292C
</uri>
<uri type='audio/ogg-speex'>
http://www.victim.com/challenges/speech.ogg?F3A6292C
</uri>
</media>
</field>
<field var='video_recog'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='150'
width='150'>
<uri type='video/mpeg'>http://www.victim.com/challenges/video.mpeg?F3A6292C</uri>
<uri type='video/mpeg'>
http://www.victim.com/challenges/video.mpeg?F3A6292C
</uri>
</media>
</field>
<field label='Type the color of a stop light' type='text-single' var='qa'/>
@ -195,10 +213,10 @@
to='victim.com'
xml:lang='en'
id='F3A6292C'>
<challenge xmlns='http://www.xmpp.org/extensions/xep-0158.html#ns'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='submit'>
<field var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field var='from'><value>innocent@victim.com</value></field>
<field var='sid'><value>spam1</value></field>
@ -234,7 +252,7 @@
to='robot@spimmer.com/zombie'
id='F3A6292C'/>
]]></example>
<p>However, if the sender submits an incorrect response the challenger SHOULD send it a &notacceptable; error with type "cancel": <note>If a large proportion of the responses a server is receiving from another IP are incorrect then it SHOULD inform the administrator of the other server using the protocol specified in &xep0161;. It SHOULD also automatically block all stanzas from the abusive user, users, server or IP.</note></p>
<p>However, if the sender submits an incorrect response the challenger SHOULD send it a &notacceptable; error with type "cancel": <note>If a large proportion of the responses a server is receiving from another IP are incorrect then it SHOULD inform the administrator of the other server using the protocol specified in &xep0161; or &xep0236;. It SHOULD also automatically block all stanzas from the abusive user, users, server or IP.</note></p>
<example caption='Challenger Tells Sender it Failed'><![CDATA[
<iq type='error'
from='victim.com'
@ -248,7 +266,7 @@
</section3>
</section2>
<section2 topic='Multiple Challenges' anchor='protocol-multiple'>
<p>The challenger may demand responses to more than one of the challenges it is offering by including an 'answers' &lt;field/&gt; element in the form. It may require responses to particular challenges by including &lt;required/&gt; elements in the compulsory fields.</p>
<p>The challenger MAY demand responses to more than one of the challenges it is offering; this is done by including an 'answers' &lt;field/&gt; element in the form. The challenger also MAY require responses to particular challenges; this is done by including &lt;required/&gt; elements in the compulsory fields.</p>
<example caption='Challenger Sets Multiple Challenges'><![CDATA[
<message from='victim.com'
to='robot@spimmer.com/zombie'
@ -256,24 +274,28 @@
id='73DE28A2'>
<body>Your messages to innocent@victim.com are being blocked.
To unblock them, ask innocent@victim.com to send you a message.</body>
<challenge xmlns='http://www.xmpp.org/extensions/xep-0158.html#ns'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='form'>
<field type='hidden' var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field type='hidden' var='from'><value>innocent@victim.com</value></field>
<field type='hidden' var='sid'><value>spam2</value></field>
<field type='hidden' var='answers'><value>2</value></field>
<field var='ocr'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='80'
width='290'>
<uri type='image/jpeg'>http://www.victim.com/challenges/ocr.jpeg?F3A6292C</uri>
<uri type='image/jpeg'>
http://www.victim.com/challenges/ocr.jpeg?F3A6292C
</uri>
</media>
</field>
<field var='audio_recog'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'>
<uri type='audio/x-wav'>http://www.victim.com/challenges/audio.wav?F3A6292C</uri>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'>
<uri type='audio/x-wav'>
http://www.victim.com/challenges/audio.wav?F3A6292C
</uri>
</media>
</field>
<field label='Type the color of a stop light' type='text-single' var='qa'>
@ -292,10 +314,10 @@
to='victim.com'
xml:lang='en'
id='73DE28A2'>
<challenge xmlns='http://www.xmpp.org/extensions/xep-0158.html#ns'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='submit'>
<field var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field var='from'><value>innocent@victim.com</value></field>
<field var='sid'><value>spam2</value></field>
@ -311,27 +333,30 @@
</section1>
<section1 topic='Extended In-Band Registration' anchor='register'>
<p>This section shows how challenges SHOULD be combined with the existing registration protocol according to the rules defined in the Extensibility section of <cite>In-Band Registration</cite>. Note: The &lt;challenge/&gt; wrapper element is not required.</p>
<p>This section shows how challenges SHOULD be combined with the existing In-Band Registration protocol according to the rules defined in the Extensibility section of <cite>XEP-0077</cite>.</p>
<p>Note: The &lt;challenge/&gt; wrapper element is not included, because <cite>XEP-0077</cite> specifies that data forms shall be contained as the direct children of the &QUERY; element.</p>
<example caption='Entity Requests Registration Fields from Host'><![CDATA[
<iq type='get' xml:lang='en' id='reg1'>
<query xmlns='jabber:iq:register'/>
</iq>
]]></example>
]]></example>
<p>Note that the challenge form MUST be inside the &QUERY; element, and the server's challenge ID is specified within the form:</p>
<example caption='Host Returns Registration and Challenge Fields to Entity'><![CDATA[
<iq type='result' xml:lang='en' id='reg1'>
<query xmlns='jabber:iq:register'>
<x xmlns='jabber:x:data' type='form'>
<field type='hidden' var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field type='hidden' var='cid'><value>F3A6292C</value></field>
<field type='hidden' var='answers'><value>3</value></field>
<field var='ocr'>
<media xmlns='xmlns='http://www.xmpp.org/extensions/xep-0221.html#ns'
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='80'
width='290'>
<uri type='image/jpeg'>http://www.victim.com/challenges/ocr.jpeg?F3A6292C</uri>
<uri type='image/jpeg'>
http://www.victim.com/challenges/ocr.jpeg?F3A6292C
</uri>
</media>
</field>
<field label='93C7A' type='text-single' var='SHA-256'/>
@ -350,15 +375,15 @@
</x>
</query>
</iq>
]]></example>
]]></example>
<p>The server MAY include an &lt;instructions/&gt; element and a URL using <cite>Out-of-Band Data</cite> (e.g., a web page) in the &QUERY; element (see example above). <cite>In-Band Registration</cite> recommends that the challenger SHOULD submit the completed x:data form, however if it does not understand the form, then it MAY present the instructions and the included URL to the user instead of providing the required information in-band.</p>
<example caption='Entity Provides Required Information In-Band'><![CDATA[
<p>The server MAY include an &lt;instructions/&gt; element and a URL using <cite>Out-of-Band Data</cite> (e.g., a web page) in the &QUERY; element (see example above). <cite>In-Band Registration</cite> recommends that the challenger SHOULD submit the completed x:data form, however if it does not understand the form, then it MAY present the instructions and the included URL to the user instead of providing the required information in-band.</p>
<example caption='Entity Provides Required Information In-Band'><![CDATA[
<iq type='set' xml:lang='en' id='reg2'>
<query xmlns='jabber:iq:register'>
<x xmlns='jabber:x:data' type='result'>
<field var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field var='cid'><value>F3A6292C</value></field>
<field var='answers'><value>3</value></field>
@ -368,12 +393,85 @@
</x>
</query>
</iq>
]]></example>
]]></example>
</section1>
<section1 topic='Multi-User Chat' anchor='muc'>
<p>A service that hosts multi-user chat rooms in accordance with <cite>XEP-0045</cite> MAY challenge unknown entities that seek to join such rooms or that send messages in such rooms.</p>
<example caption='Sender Attempts to Join Chat Room'><![CDATA[
<presence from='robot@spimmer.com/zombie'
to='friendly-chat@muc.victim.com'/>
]]></example>
<example caption='Challenger Offers a Choice of Challenges to Sender'><![CDATA[
<message from='muc.victim.com'
to='robot@spimmer.com/zombie'
id='A4C7303D'>
<body>
Your messages to friendly-chat@muc.victim.com are being blocked. To unblock
them, visit http://www.victim.com/challenge.html?A4C7303D
</body>
<x xmlns='jabber:x:oob'>
<url>http://www.victim.com/challenge.html?A4C7303D</url>
</x>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='form'>
<field type='hidden' var='FORM_TYPE'>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field type='hidden' var='from'><value>muc.victim.com</value></field>
<field type='hidden' var='sid'><value>spam3</value></field>
<field var='ocr'>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='80'
width='290'>
<uri type='image/jpeg'>
http://www.victim.com/challenges/ocr.jpeg?A4C7303D
</uri>
<data xmlns='urn:xmpp:tmp:data-element'
type='image/jpeg'> ** Base64 encoded image ** </data>
</media>
</field>
<field var='picture_recog'>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='150'
width='150'>
<uri type='image/jpeg'>
http://www.victim.com/challenges/picture.jpeg?A4C7303D
</uri>
<data xmlns='urn:xmpp:tmp:data-element'
type='image/jpeg'> ** Base64 encoded image ** </data>
</media>
</field>
<field var='speech_recog'>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'>
<uri type='audio/x-wav'>
http://www.victim.com/challenges/speech.wav?A4C7303D
</uri>
<uri type='audio/ogg-speex'>
http://www.victim.com/challenges/speech.ogg?A4C7303D
</uri>
</media>
</field>
<field var='video_recog'>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='150'
width='150'>
<uri type='video/mpeg'>
http://www.victim.com/challenges/video.mpeg?A4C7303D
</uri>
</media>
</field>
<field label='Type the color of a stop light' type='text-single' var='qa'/>
<field label='93C7A' type='text-single' var='SHA-256'/>
</x>
</challenge>
</message>
]]></example>
</section1>
<section1 topic='Challenge Types' anchor='captcha'>
<section2 topic='Introduction' anchor='captcha-intro'>
<p>Entities MUST address the needs of disabled people and CPU-constrained clients by offering people a reasonable choice of different types of challenges.</p>
<p>Entities MUST address the needs of disabled people and CPU-constrained clients by offering senders a reasonable choice of different types of challenges.</p>
<p>Desktop clients running on modern PCs will typically be configured to automatically perform a specified 'SHA-256' Hashcash challenge (see below) whenever it is below a certain level of difficulty, with the result that many people may not even notice challenges most of the time. However, people using CPU-constrained clients (e.g. Web or mobile clients) would notice the performance hit. They might prefer to take a CAPTCHA challenge instead. <note>A CPU-constrained client could ask a faster computer (e.g., its server) to perform a Hashcash challenge for it.</note></p>
<p>Visually disabled people using a CPU-constrained client could configure their client to always present them with an audio CAPTCHA challenge.</p>
<p>Most of the challenges below are language sensitive. However, the evaluation of the OCR and Hashcash responses does not depend on the language the sender is using.</p>
@ -399,38 +497,6 @@
<th>'label'</th>
<th>Example generic instructions</th>
</tr>
<tr>
<td>ocr*</td>
<td>Optical Character Recognition</td>
<td>image</td>
<td>image/jpeg</td>
<td>No</td>
<td>Enter the code you see</td>
</tr>
<tr>
<td>picture_recog</td>
<td>Picture Recognition</td>
<td>image</td>
<td>image/jpeg</td>
<td>No</td>
<td>Describe the picture</td>
</tr>
<tr>
<td>video_recog</td>
<td>Video Recognition</td>
<td>video</td>
<td>video/mpeg</td>
<td>No</td>
<td>Describe the video</td>
</tr>
<tr>
<td>speech_recog</td>
<td>Speech Recognition</td>
<td>audio</td>
<td>audio/x-wav</td>
<td>No</td>
<td>Enter the words you hear</td>
</tr>
<tr>
<td>audio_recog</td>
<td>Audio Recognition</td>
@ -439,6 +505,14 @@
<td>No</td>
<td>Describe the sound you hear</td>
</tr>
<tr>
<td>ocr *</td>
<td>Optical Character Recognition</td>
<td>image</td>
<td>image/jpeg</td>
<td>No</td>
<td>Enter the code you see</td>
</tr>
<tr>
<td>picture_q</td>
<td>Picture Question</td>
@ -448,12 +522,20 @@
<td>Answer the question you see</td>
</tr>
<tr>
<td>video_q</td>
<td>Video Question</td>
<td>video</td>
<td>video/mpeg</td>
<td>picture_recog</td>
<td>Picture Recognition</td>
<td>image</td>
<td>image/jpeg</td>
<td>No</td>
<td>Answer the question in the video</td>
<td>Describe the picture</td>
</tr>
<tr>
<td>qa</td>
<td>Text Question and Answer</td>
<td>-</td>
<td>-</td>
<td>Yes**</td>
<td>-</td>
</tr>
<tr>
<td>speech_q</td>
@ -464,12 +546,28 @@
<td>Answer the question you hear</td>
</tr>
<tr>
<td>qa</td>
<td>Text Question and Answer</td>
<td>-</td>
<td>-</td>
<td>Yes**</td>
<td>-</td>
<td>speech_recog</td>
<td>Speech Recognition</td>
<td>audio</td>
<td>audio/x-wav</td>
<td>No</td>
<td>Enter the words you hear</td>
</tr>
<tr>
<td>video_q</td>
<td>Video Question</td>
<td>video</td>
<td>video/mpeg</td>
<td>No</td>
<td>Answer the question in the video</td>
</tr>
<tr>
<td>video_recog</td>
<td>Video Recognition</td>
<td>video</td>
<td>video/mpeg</td>
<td>No</td>
<td>Describe the video</td>
</tr>
</table>
<p>* The image portrays random characters that humans can read but OCR software cannot. <note>See PWNtcha &lt;<link url='http://sam.zoy.org/pwntcha/'>http://sam.zoy.org/pwntcha/</link>&gt; for some example OCR CAPTCHA images.</note> To pass the challenge, the sender must simply type the characters. The correct answer SHOULD NOT depend on the language specified by the 'xml:lang' attribute of the challenge stanza.</p>
@ -479,7 +577,7 @@
</section1>
<section1 topic='Question and Answer for Legacy Clients' anchor='legacy'>
<p>An challenger MAY provide a text question in the &BODY; element of a challenge stanza for clients that do not support challenge forms. Entities that cannot serve <cite>Out-of-Band Data</cite> URLs MAY use this option to challenge legacy clients.</p>
<p>A challenger MAY provide a text question in the &BODY; element of a challenge stanza for clients that do not support challenge forms. Entities that cannot serve <cite>Out-of-Band Data</cite> URLs MAY use this option to challenge legacy clients.</p>
<!-- It also allows entities to provide a challenge for minimal legacy clients that do not support <cite>Out-of-Band Data</cite> URLs (these don't exist). -->
<p>Note: Robots always attempt the easiest challenge they are offered. So the question MUST be at least as difficult for a robot as the challenge form.</p>
<p>Note: Even if it provides a text question in the &BODY; element, a challenger MUST always provide a challenge form.</p>
@ -490,10 +588,10 @@
id='F3A6292C'>
<body>Your messages to me are being blocked. To unblock them,
reply with the color of a stop light followed by 'F3A6292C'.</body>
<challenge xmlns='http://www.xmpp.org/extensions/xep-0158.html#ns'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='form'>
<field type='hidden' var='FORM_TYPE'>
<value>http://www.xmpp.org/extensions/xep-0158.html#ns</value>
<value>urn:xmpp:tmp:challenge</value>
</field>
<field type='hidden' var='from'><value>innocent@victim.com</value></field>
<field type='hidden' var='sid'><value>spam1</value></field>
@ -559,7 +657,7 @@
<p>Upon approval of this document, the <cite>XMPP Registrar</cite> shall register the following new FORM_TYPE. Additional fields will be defined in future submissions.</p>
<code><![CDATA[
<form_type>
<name>http://www.xmpp.org/extensions/xep-0158.html#ns</name>
<name>urn:xmpp:tmp:challenge</name>
<doc>XEP-0158</doc>
<desc>forms enabling robot challenges</desc>
<field
@ -687,8 +785,8 @@
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='http://www.xmpp.org/extensions/xep-0158.html#ns'
xmlns='http://www.xmpp.org/extensions/xep-0158.html#ns'
targetNamespace='urn:xmpp:tmp:challenge'
xmlns='urn:xmpp:tmp:challenge'
elementFormDefault='qualified'>
<xs:element name='challenge'>