diff --git a/xep-0115.xml b/xep-0115.xml index be69e548..42021bf8 100644 --- a/xep-0115.xml +++ b/xep-0115.xml @@ -7,7 +7,7 @@
Entity Capabilities - This document defines an XMPP protocol extension for broadcasting and discovering client, device, or generic entity capabilities in a way that minimizes network impact. + This document defines an XMPP protocol extension for broadcasting and dynamically discovering client, device, or generic entity capabilities in a way that minimizes network impact. &LEGALNOTICE; 0115 Draft @@ -28,10 +28,10 @@ &stpeter; &remko; - 1.4pre2 - in progress, last updated 2007-07-11 + 1.4pre3 + in progress, last updated 2007-07-20 psa/jjh -

In response to persistent security concerns over caps poisoning, defined method for hashing concatenation of identity and supported features.

+

In response to persistent security concerns over caps poisoning, redefined ver attribute to be a hash of the service discovery identity and features in a way that is backward-compatible with the legacy format.

1.3 @@ -104,20 +104,21 @@
-

It is often desirable for a Jabber/XMPP application (commonly but not necessarily a client) to take different actions depending on the capabilities of another application from which it receives presence information. Examples include:

+

It is often desirable for an XMPP application (commonly but not necessarily a client) to take different actions depending on the capabilities of another application from which it receives presence information. Examples include:

    -
  • Showing a different set of icons depending on the capabilities of other clients.
  • -
  • Not sending &xep0071; content to plaintext clients such as cell phones.
  • +
  • Showing a different set of icons depending on the capabilities of other entities.
  • +
  • Not sending &xep0071; or other rich content to plaintext clients such as cell phones.
  • Allowing the initiation of a Voice over IP (VoIP) session only to clients that support &xep0166; and &xep0167;.
  • Not showing a "Send a File" button if another user's client does not support &xep0096;.
  • +
  • Filtering &xep0060; notifications based on advertised subscriber interests.
-

Some older Jabber clients send one &xep0030; and one &xep0092; request to each entity from which they received presence after login. That "disco+version flood" results in an excessive use of bandwidth and is impractical on a larger scale, particularly for users or applications with large rosters. Therefore this document proposes a more robust and scalable solution: namely, a presence-based mechanism This proposal is not limited to clients, and can be used by any entity that exchanges presence with another entity, e.g., a gateway. However, this document uses the example of clients throughout. for exchanging information about entity capabilities. Clients SHOULD NOT engage in the older "disco+version flood" behavior and instead SHOULD use Entity Capabilities as specified herein.

+

In the past, some Jabber clients sent one &xep0030; and one &xep0092; request to each entity from which they received presence after login. That "disco+version flood" resulted in an excessive use of bandwidth and was impractical on a larger scale, particularly for users or applications with large rosters. Therefore this document defines a more robust and scalable solution: namely, a presence-based mechanism This proposal is not limited to clients, and can be used by any entity that exchanges presence with another entity, e.g., a gateway. However, this document uses the example of clients throughout. for exchanging information about entity capabilities. Clients should not engage in the older "disco+version flood" behavior and instead should use Entity Capabilities as specified herein.

-

This section provides a friendly, non-normative introduction to the workings of entity capabilities.

-

Imagine that you are a Shakespearean character named Juliet and one of your contacts, a handsome fellow named Romeo, becomes available. His client wants to publish its capabilities, and does this by adding a <c/> element to its presence packets. As a result, your client receives the following presence packet:

+

This section provides a friendly introduction to entity capabilities.

+

Imagine that you are a Shakespearean character named Juliet and one of your contacts, a handsome fellow named Romeo, becomes available. His client wants to publish its capabilities, and does this by adding a <c/> element with special attributes to its presence packets. As a result, your client receives the following presence packet:

+ @@ -126,13 +127,19 @@

The 'node' attribute represents the client Romeo is using (the client identifier is an "FYI" and is not used further in Entity Capabilities). The 'ver' attribute is a specially-constructed string that represents the identity (see &DISCOCATEGORIES;) and supported features (see &DISCOFEATURES;) of the entity.

At this point, your client has no idea what the capabilities are of someone with a version string '8RovUdtOmiAjzj+xI7SK5BCw3A8='. Your client therefore sends a service discovery query to Romeo, asking what his client can do.

+ ]]>

The response is:

+ @@ -141,7 +148,7 @@ ]]> -

At this point, your client knows that anyone advertising a version string of '8RovUdtOmiAjzj+xI7SK5BCw3A8=' has a client that can do &xep0045;. Your client remembers this information, so that it does not need to explicitly query the capabilities of a contact with the same version string. For example, Benvolio may send you the following presence:

+

At this point, your client knows that anyone advertising a version string of '8RovUdtOmiAjzj+xI7SK5BCw3A8=' has a client that can do &xep0045; and the other features returned by Romeo's client (the string can be relied upon because of how it is generated and checked as explained later in this document). Your client remembers this information, so that it does not need to explicitly query the capabilities of a contact with the same version string. For example, Benvolio may send you the following presence:

The type of client I am using is of interest to the people in my roster.
  • Clients for the people on my roster might want to make user interface decisions based on my capabilities.
  • Different clients may support the same capabilities.
  • -
  • Members of a community tend to cluster around a small set of clients. More specifically, multiple people in my roster use the same client, and they upgrade versions relatively slowly (commonly a few times a year, perhaps once a week at most, certainly not once a minute).
  • +
  • Members of a community tend to cluster around a small set of clients with a small set of capabilities. More specifically, multiple people in my roster use the same client, and they upgrade versions relatively slowly (commonly a few times a year, perhaps once a week at most, certainly not once a minute).
  • Some clients are running against servers without server-to-server connectivity enabled, and without access to the Internet via HTTP.
  • Conversations are possible between users who are not on each other's rosters.
  • -
  • Client capabilities may change over the course of a session, due to features being enabled and disabled.
  • +
  • Client capabilities may change over the course of a presence session, due to features being enabled and disabled.
  • The protocol defined herein addresses the following requirements:

      -
    1. Clients MUST be able to participate even if they support only &xmppcore;, &xmppim;, and XEP-0030.
    2. -
    3. Clients MUST be able to participate even if they are on networks without connectivity to other XMPP servers, services offering specialized XMPP extensions, or HTTP servers.These first two requirements effectively eliminated &xep0060; as a possible implementation of entity capabilities.
    4. -
    5. Clients MUST be able to retrieve information without querying each user.
    6. -
    7. Since presence is normally broadcasted to many users, the byte size of the proposed extension MUST be as small as possible.
    8. -
    9. It MUST be possible to write a &xep0045; implementation that passes the given information along.
    10. -
    11. It MUST be possible to publish a change in capabilities within a single session.
    12. -
    13. Server infrastructure above and beyond that defined in XMPP Core and XMPP IM MUST NOT be required for this approach to work, although additional server infrastructure MAY be used for optimization purposes.
    14. +
    15. Clients must be able to participate even if they support only &xmppcore;, &xmppim;, and XEP-0030.
    16. +
    17. Clients must be able to participate even if they are on networks without connectivity to other XMPP servers, services offering specialized XMPP extensions, or HTTP servers.These first two requirements effectively eliminated &xep0060; as a possible implementation of entity capabilities.
    18. +
    19. Clients must be able to retrieve information without querying each user.
    20. +
    21. Since presence is normally broadcasted to many users, the byte size of the proposed extension must be as small as possible.
    22. +
    23. It must be possible to write a XEP-0045 server implementation that passes the given information along.
    24. +
    25. It must be possible to publish a change in capabilities within a single presence session.
    26. +
    27. Server infrastructure above and beyond that defined in XMPP Core and XMPP IM must not be required for this approach to work, although additional server infrastructure may be used for optimization purposes.
    -

    Entity capabilities are encapsulated in a <c/> element qualified by the 'http://jabber.org/protocol/caps' namespace. The attributes of the <c/> element are as follows:

    +

    Entity capabilities are encapsulated in a <c/> element qualified by the 'http://jabber.org/protocol/caps' namespace. The attributes of the <c/> element are as follows.

    @@ -220,7 +227,7 @@ - +
    Name
    verA string that specifies the identity and supported features of the entity. Before version 1.4 of this specification, the 'ver' attribute was used to specify the released version of the software.A string that specifies the identity and supported features of the entity. Before version 1.4 of this specification, the 'ver' attribute was used to specify the released version of the software; however, the values of the 'ver' attribute that result from use of the algorithm specified since version 1.4 are backward-compatible with the legacy approach. REQUIRED
    @@ -231,8 +238,8 @@

    Note: All sorting operations MUST be performed using "i;octet" collation as specified in Section 9.3 of &rfc4790;.

    1. Initialize an empty string S.
    2. -
    3. Sort the service discovery identities by category and then by type (if it exists), formatted as "category" "/" "type".
    4. -
    5. For each identity, append the category/type to S, followed by the '<' character.
    6. +
    7. Sort the service discovery identities by category and then by type (if it exists), formatted as 'category' '/' 'type'.
    8. +
    9. For each identity, append the 'category/type' to S, followed by the '<' character.
    10. Sort the supported features.
    11. For each feature, append the feature to S, followed by the '<' character.
    12. Compute ver by hashing S using the SHA-1 algorithm as specified in &rfc3174; (with binary output) and encoding the hash using Base64 as specified in Section 4 of &rfc4648; (note: the Base64 output MUST NOT include whitespace and MUST set padding bits to zero). The OpenSSL command for producing such output is "echo -n 'S' | openssl dgst -binary -sha1 | openssl enc -nopad -base64".
    13. @@ -240,7 +247,7 @@

      For example, consider an entity whose service discovery category is "client", whose service discovery type is "pc", and whose supported features are "http://jabber.org/protocol/disco#info", "http://jabber.org/protocol/disco#items", and "http://jabber.org/protocol/muc". The value of the 'ver' attribute would be generated as follows:

      1. S = ''
      2. -
      3. Only one identity: client/pc
      4. +
      5. Only one identity: "client/pc"
      6. S = 'client/pc<'
      7. Sort the features: "http://jabber.org/protocol/disco#info", "http://jabber.org/protocol/disco#items", "http://jabber.org/protocol/muc".
      8. S = 'client/pc<http://jabber.org/protocol/disco#info<http://jabber.org/protocol/disco#items<http://jabber.org/protocol/muc<'
      9. @@ -250,9 +257,8 @@ -

        Each time a conformant client sends presence, it annotates that presence with a client identifier ('node' attribute) and identity and feature identifier ('ver' attribute). Unless the server optimizations shown later are being used, the client MUST send this with every presence change (except for unavailable presence) to enable existing servers to remember the last presence for use in responding to probes.

        -

        If the supported features change during a client's session (e.g., a user installs an updated version of a client plugin), the application MUST recompute the 'ver' attribute and SHOULD send a new presence broadcast.

        -

        Note: The values of the 'node' and 'ver' attributes MUST NOT contain the '#' character, since that character is used as a separator in the Discovering Capabilities use case.

        +

        Each time a conformant entity sends presence, it annotates that presence with an entity identifier ('node' attribute) and identity and feature identifier ('ver' attribute). Unless the server optimizations shown later are being used, the client MUST send this with every presence change (except for unavailable presence) to enable existing servers to remember the last presence for use in responding to probes.

        +

        If the supported features change during a client's presence session (e.g., a user installs an updated version of a client plugin), the application MUST recompute the 'ver' attribute and SHOULD send a new presence broadcast.

        @@ -264,18 +270,24 @@
        -

        A contact can learn what features a user's client supports by sending a disco#info request (as defined in XEP-0030: Service Discovery) to any client that sent a particular value of the ver attribute.

        +

        An application can learn what features another entity supports by sending a disco#info request (see XEP-0030) to any entity that sent a particular value of the ver attribute.

        - + ]]> -

        The user then returns all of the capabilities supported by software.

        +

        The entity then returns all of the capabilities it supports.

        - + @@ -285,7 +297,7 @@ ]]> -

        The client MUST check the identities and supported features against the 'ver' value by calculating the hash as described under Generating the ver Attribute and making sure that the values match. If the values do not match, the client MUST NOT accept the 'ver' value as reliable and SHOULD check the value of another user who advertises that value (if any). This helps to prevent poisoning of entity capabilities information.

        +

        The client MUST check the identities and supported features against the 'ver' value by calculating the hash as described under Generating the ver Attribute and making sure that the values match. If the values do not match, the client MUST NOT accept or cache the 'ver' value as reliable and SHOULD check the value of another user who advertises that value (if any). This helps to prevent poisoning of entity capabilities information.

        @@ -302,7 +314,7 @@
        -

        A server that is managing an entity's session MAY choose to optimize traffic through the server. In this case, the server MAY strip off redundant capabilities annotations. Because of this, receivers of annotations MUST NOT expect an annotation on every presence packet they receive. If the server wants to perform this traffic optimization, it MUST ensure that the first presence each subscriber receives contains the annotation. The server MUST also ensure that any changes in the annotation (typically in the 'ext' attribute) are sent to all subscribers.

        +

        A server that is managing an entity's presence session MAY choose to optimize traffic through the server. In this case, the server MAY strip off redundant capabilities annotations. Because of this, receivers of annotations MUST NOT expect an annotation on every presence packet they receive. If the server wants to perform this traffic optimization, it MUST ensure that the first presence each subscriber receives contains the annotation. The server MUST also ensure that any changes in the annotation (e.g., an updated 'ver' attribute)(e.g., an updated 'ver' attribute) are sent to all subscribers.

        A client MAY query the server using disco#info to determine if the server supports the 'http://jabber.org/protocol/caps' feature. If so, the server MUST perform the optimization delineated above, and the client MAY choose to send the capabilities annotation only on the first presence packet, as well as whenever its capabilities change.

        @@ -325,17 +337,17 @@ ]]>
        - +

        If two entities exchange messages but they do not normally exchange presence (i.e., via presence subscription), the entities MAY choose to send directed presence to each other, where the presence information SHOULD be annotated with the same capabilities information as each entity sends in broadcasted presence. If capabilities information has not been received from another entity, an application MUST assume that the other entity does not support capabilities.

        - -

        No application-specific error codes are defined by this document. See XEP-0030: Service Discovery for a list of potential service discovery error codes.

        + +

        An application that accepts entity capabilities information SHOULD cache associations between the 'ver' attribute and discovered features within the scope of one presence session and MAY cache such associations across sessions. This obviates the need for extensive service discovery requests within a session or at the beginning of a session.

        -

        Use of the protocol specified in this document might make some client-specific forms of attack slightly easier, since the attacker could more easily determine the type of client being used. However, since most clients respond to jabber:iq:version requests without performing access control checks, there is no new vulnerability. Entities that wish to restrict access to capabilities information SHOULD use &xep0016; to define appropriate communications blocking (e.g., an entity MAY choose to allow IQ requests only from "trusted" entities, such as those with whom it has a subscription of "both").

        -

        Adherence to the algorithm defined in the Generation of ver Attribute section of this document helps to guard against poisoning of entity capabilities information by malicious or improperly implemented entities.

        +

        Use of the protocol specified in this document might make some client-specific forms of attack slightly easier, since the attacker could more easily determine the type of client being used. However, since most clients respond to Service Discoery and Software Version requests without performing access control checks, there is no new vulnerability. Entities that wish to restrict access to capabilities information SHOULD use &xep0016; to define appropriate communications blocking (e.g., an entity MAY choose to allow IQ requests only from "trusted" entities, such as those with whom it has a subscription of "both").

        +

        Adherence to the algorithm defined in the Generation of ver Attribute section of this document for both generation and checking of the 'ver' attribute helps to guard against poisoning of entity capabilities information by malicious or improperly implemented entities.

        @@ -371,7 +383,7 @@ - +