diff --git a/xep-0280.xml b/xep-0280.xml
index a2dbf07a..f5439d3d 100644
--- a/xep-0280.xml
+++ b/xep-0280.xml
@@ -39,6 +39,12 @@
Reorganized to emphasize uses; removed discussion on error conditions required of "non-supporting" entities; relaxed multiple enables/disables to effectively no-ops; removed requirement for <private/> to be stripped from messages processed by the sending server; reworded "Interaction with Chat States" to be consistent with RFC 2119 language; updated mobile considerations to include battery life; changed all examples to use ".example" for the domainpart. If a server implements the Message Carbons capability, it MUST specify the "urn:xmpp:carbons:2" feature in its service discovery information features as specified in &xep0030; or section 6.3 of &xep0115;. Clients SHOULD NOT attempt to enable or disable Carbons if their server does not support this feature. An entity advertises support for this protocol by including the "urn:xmpp:carbons:2" feature in its service discovery information features as specified in &xep0030; or section 6.3 of &xep0115;. Servers MUST NOT enable the Carbons protocol for a client by default, since unmodified clients might be confused by the new protocol. When a client wants to participate in the Carbons protocol, it sends an IQ set to enable the protocol. When a client wants to participate in the Carbons protocol, it enables the protocol by sending an IQ-set containing a child element <enable/> qualified by the namespace "urn:xmpp:carbons:2": Carbons will generally be enabled before the client sends the first undirected presence, to ensure that all inbound messages will be delivered according to the Carbon rules. The server will respond with an IQ result when Carbons are enabled: Some clients might want to disable Carbons. An example of this might be a mobile client that wants Carbons when the application is in the foreground, and disabled when it is in the background. To disable Carbons, clients send an IQ set: The server will respond with an IQ result when Carbons are disabled: Enabling or disabling Carbons may fail in the several ways. If one of these errors is returned, the server MUST keep the previous state, where the initial state is Carbons disabled. For example, if the first enable returns an error, the server MUST NOT enable Carbons. The sender has sent a stanza containing XML that does not conform to the appropriate schema or that cannot be processed. One example is an IQ stanza that includes an unrecognized value of the 'type' attribute. Another is changing to the state that is already in effect (enabling Carbons a second time). The sender has sent an enable or disable request to a server
- that does not support the protocol. This SHOULD NOT happen in
- practice, because clients MUST check for server support before
- sending their request. The sender is forbidden by policy from enabling or
- disabling Carbons. The server will respond with an IQ-result when Carbons are enabled: If the server cannot enable Carbons for this client, it sends an IQ-error to the client, with an appropriate error condition (e.g., <forbidden/> if local policy forbids the client from enabling): The receiver does not allow any entity to turn on Carbons.
- This might occur in a multi-domain deployment, where
- administrators of one domain allow Carbons, but another does
- not. There are various reasons why a server might not be able to enable Carbons for a client. The RECOMMENDED error conditions to return for some reasons are: See the section Handling Multiple Enable/Disable Requests for considerations when a client attempts to enable Carbons multiple times. Some clients might want to disable Carbons. To disable Carbons, the client sends an IQ-set containing a child element <disable/> qualified by the namespace "urn:xmpp:carbons:2": The server will respond with an IQ-result when Carbons are disabled: If the server cannot disable Carbons for this client, it sends an IQ-error to the client, with an appropriate error condition (e.g., <not-allowed/> if trying to disable another client's Carbons): There are various reasons why a server might not be able to disable Carbons for a client. The RECOMMENDED error conditions to return for some reasons are: See the section Handling Multiple Enable/Disable Requests for considerations when a client attempts to disable Carbons multiple times. Messages of type chat that are addressed to the bare JID (localpart@domain) MUST be delivered according to RFC 6121 § 8.5.2, and MUST be copied by the receiving server to all of the resources for that user that are carbons-enabled. The process of making copies is known as "forking." When the server receives a &MESSAGE; of type "chat" addressed to a bare JID (localpart@domainpart), it delivers a copy to each Carbons-enabled resource for the bare JID – in addition to delivering according to RFC 6121 § 8.5.2. This process is sometimes called "forking". A carbons-enabled resource MUST NOT receive more than one copy of the message. A carbons-enabled resource that has a negative priority MUST still receive a copy of the message. Messages of type "chat" that are addressed to a full JID (localpart@domain/resource) MUST be sent by the receiving server to the addressed resource. A copy of the message MUST also be sent to all of the Carbons-enabled resources for the receiving user, excluding the original destination (which is sent the original message according to the routing rules in &rfc6120; and &rfc6121;).
+
+
+
+
When the server receives a &MESSAGE; of type "chat" addressed to a full JID (localpart@domainpart/resourcepart), it delivers the &MESSAGE; according to RFC 6121 § 8.5.3, and delivers a forwarded copy to each Carbons-enabled resource for the matching bare JID recipient.
+Each forwarded copy is wrapped using &xep0297;. The wrapping message SHOULD maintain the same 'type' attribute value; the 'from' attribute MUST be the Carbons-enabled user's bare JID (e.g., "localpart@domainpart"); and the 'to' attribute MUST be the full JID of the resource receiving the copy. The content of the wrapping message MUST contain a <received/> element qualified by the namespace "urn:xmpp:carbons:2", which itself contains a <forwarded/> element qualified by the namespace "urn:xmpp:forward:0" that contains the original &MESSAGE;.
+ +The copies sent to the Carbon-enabled resources are wrapped using &xep0297;. The wrapping message SHOULD maintain the same 'type' attribute value; the 'from' attribute MUST be the Carbon-enabled user's bare JID (e.g. "localpart@domain"); and the 'to' attribute SHOULD be the full JID of the resource receiving the copy. The content of the wrapping message MUST contain a <received xmlns='urn:xmpp:carbons:2'/> element, which itself contains a <forwarded xmlns='urn:xmpp:forward:0'/> that contains the original message (properly namespaced as "jabber:client"):
- -Carbons clients want to have copies of messages going in both directions for other resources associated with the same user. To that end, messages of type "chat" that are sent from any resource MUST be copied by the sending server to each of the resources that have enabled Carbons, but are not the sending resource.
-When a client sends a &MESSAGE; of type "chat", its sending server delivers the &MESSAGE; according to RFC 6120 and RFC 6121, and delivers a forwarded copy to each Carbons-enabled resource for the matching bare JID sender.
+Each forwarded copy is wrapped using &xep0297;. The wrapping message SHOULD maintain the same 'type' attribute value; the 'from' attribute MUST be the Carbons-enabled user's bare JID (e.g., "localpart@domainpart"); and the 'to' attribute SHOULD be the full JID of the resource receiving the copy. The content of the wrapping message MUST contain a <sent/> element qualified by the namespace "urn:xmpp:carbons:2", which itself contains a <forwarded/> qualified by the namespace "urn:xmpp:forward:0" that contains the original &MESSAGE; stanza.
+The copies sent to the Carbon-enabled resources are wrapped using &xep0297;. The wrapping message SHOULD maintain the same 'type' attribute value; the 'from' attribute MUST be the Carbon-enabled user's bare JID (e.g. "localpart@domain"); and the 'to' attribute SHOULD be the full JID of the resource receiving the copy. The content of the wrapping message MUST contain a <sent xmlns='urn:xmpp:carbons:2'/> element, which itself contains a <forwarded xmlns='urn:xmpp:forward:0'/> that contains the original message (properly namespaced as "jabber:client"):
- -Some clients might want to avoid carbons on a single message, while still keeping all of the other semantics of Carbon support. This might be useful for clients sending end-to-end encrypted messages, for example.
+The sending server SHOULD NOT send a forwarded copy to the sending full JID if it is a Carbons-enabled resource.
-To avoid a message being Carbon-copied to its other resources, the sending client MUST add a private element in the "urn:xmpp:carbons:2" namespace. When the sending server receives the message, it MUST NOT make carbon copies to the other Carbons-enabled resources, and MUST remove the private element before forwarding the message to the intended recipient.
+Some clients might want to avoid Carbons on a single message, while still keeping all of the other semantics of Carbon support. This might be useful for clients sending end-to-end encrypted messages, for example. To exclude a &MESSAGE; from being forwarded to other Carbons-enabled resources, the sending client add a <private/> element qualified by the namespace "urn:xmpp:carbons:2" as a child content element to the &MESSAGE; stanza.
-Note: use of the private mechanism will lead to partial conversations on other devices. This is the intended effect.
+Note: use of the private mechanism might lead to partial conversations on other devices. This is the intended effect.
-The sending server MUST NOT deliver forwarded &MESSAGE;s to the other Carbons-enabled resources of the sender. The receiving server MUST NOT deliver forwarded &MESSAGE;s to the other Carbons-enabled resource of the recipient, and SHOULD remove the <private/> element before delivering to the recipient.
+Note: if the private &MESSAGE; stanza is addressed to a bare JID, the receiving server still delivers it according to RFC 6121. This might result in a copy being delivered to each resource for the recipient, which effectively negates the behavior of the <private/> element for recipients.
+If a client is permitted to enable Carbons during its login session, the server MUST allow the client enable and disable the protocol multiple times within a session. The server SHOULD NOT treat multiple enable requests (without an intermediate disable request) as an error; it SHOULD simply return an IQ-result (if the protocol is already enabled) or an IQ-error (if the client is not permitted to enable Carbons) for any subsequent requests after the first. Similarly, the server SHOULD NOT treat multiple disable requests (without an intermediate enable request) as an error; it SHOULD return an IQ-result (if the protocols is already disabled) or an IQ-error (if the client's request failed previously) for any subsequent requests after the first.
Note that &xep0085; recommends sending chat state notifications as chat type messages, which means that they will be subject to Carbon-copying. This is intentional.
-Additionally, clients that implement Carbons MAY take special use of chat state notifications:
+Additionally, there are other considerations for clients that implement Carbons and XEP-0085:
When a receiving server attempts to deliver a forked message, and that message bounces with an error for any reason, the receiving server MUST NOT forward that error back to the original sender. The receiving server SHOULD use the sent element in the bounce to determine that an error is from a forked message.
-This rule is used to prevent some of the half-failure modes that have been an issue in other prototocols.
+This rule is used to prevent some of the half-failure modes that have been an issue in other prototocols.
Clients that automatically respond to messages for any reason (e.g. when in the "dnd" presence show state) MUST take adequate care when enabling Carbons in order to prevent storms or loops. Carbon copies of messages MUST NOT be auto-replied to under any circumstances. Forked inbound messages SHOULD NOT be auto-replied to, unless the client has some way of ensuring no more than one auto-reply is sent from all of its user's resources.
+Clients that automatically respond to messages for any reason (e.g., when in the "dnd" presence show state) MUST take adequate care when enabling Carbons in order to prevent storms or loops. Carbon copies of messages MUST NOT be auto-replied to under any circumstances. Forked inbound messages MUST NOT be auto-replied to unless the client has some way of ensuring no more than one auto-reply is sent from all of its user's resources.
Since mobile devices often must pay for network traffic based on usage, the enablement of Carbons for such devices should be undertaken advisedly. More complicated mechanisms for controlling the Carbon-copying or forking of individual conversations may need to be added to deal with mobile clients in the future.
+Enabling this protocol on mobile devices needs to be undertaken with care. This protocol can result in additional bandwidth and power usage, possibly decreasing battery lifetime and increasing monetary costs. Additional mechanisms for controlling the Carbon-copying or forking of individual conversations might need to be added to deal with mobile clients in the future.
The security model assumed by this document is that all of the resources for a single user are in the same trust boundary. Any forwarded copies received by a Carbon-enabled client MUST be from that user's bare JID; any copies that do not meet this requirement MUST be ignored.
+The security model assumed by this document is that all of the resources for a single user are in the same trust boundary. Any forwarded copies received by a Carbons-enabled client MUST be from that user's bare JID; any copies that do not meet this requirement MUST be ignored.
Outbound chat messages that are encrypted end-to-end are not often useful to receive on other resources. As such, they should use the <private/> element specified above to avoid such copying, unless the encryption mechanism is able to accommodate this protocol.