Message Receipts

%ents; ]>

Message Receipts This document specifies a protocol for XMPP message receipts. &LEGALNOTICE; 0184 Experimental Standards Track Standards JIG Council XMPP Core JEP-0022 (in part) amp-receipts &stpeter; &hildjj; 0.2 2006-09-21 psa

Added two more scenarios; defined business rule about not sending to bare JIDs; specified security consideration regarding presence leaks.

0.1 2006-04-11 psa

Initial JEP version.

0.0.2 2006-04-07 psa

Added text and examples for service discovery; added text and examples for chat session negotiation; added recommendations regarding message processing, retries, etc.

0.0.1 2006-03-27 psa

First draft.

While &jep0079; provides message acknowledgements at the server level, it does not extend that model all the way to the client. However, sometimes client-level acknowledgements are needed, for example to provide "receipts". This document defines a mechanism for XMPP message receipts.

This document addresses the following requirements:

Enable a sender to request notification that an XMPP message stanza has been received.
Enable a recipient to provide message receipts if desired.

Note: This document explicitly does not define a protocol for "guaranteed delivery", since that term (like "security") means different things to different people. Instead, we define a more focused protocol that addresses the need for message receipts, thus solving one problem that falls under the heading of "guaranteed delivery".

In general there are seven possible scenarios (where "S" stands for sender and "R" stands for recipient):

 |
|    send message                       |
|                                       |
| <------------------------------------ |
|                      send receipt     |
|                                       |
  ]]>

In Scenario 1, the use case ends successfully with message delivery, receipt delivery, and no retries.

 |
|    re-send message                    |
|                                       |
| <------------------------------------ |
|                      send receipt     |
|                                       |
  ]]>

In Scenario 2, the use case ends successfully with message delivery failure, message retry, and receipt delivery.

 |
|    send message                       |
|                                       |
|      x------------------------------- |
|                      send receipt     |
|                                       |
| [trigger timeout]                     |
|                                       |
| ------------------------------------> |
|    re-send message                    |
|                                       |
| <------------------------------------ |
|                      send receipt     |
|                                       |
  ]]>

In Scenario 3, the use case ends successfully with message delivery, receipt delivery failure, message retry, and receipt delivery.

 |
|    send message                       |
|                                       |
| ------------------------------------> |
|    send presence unavailable          |
|                                       |
  ]]>

In Scenario 4, the use case ends unsuccessfully with message delivery and the sender generating presence unavailable (because the sender has gone offline, the recipient has no one to send the receipt to).

 |
|    send message                       |
|                                       |
| -------------------------------x      |
|    send presence unavailable          |
|                                       |
| <------------------------------------ |
|                      send receipt     |
|                                       |
  ]]>

In Scenario 5, the use case ends unsuccessfully with message delivery and the sender generating presence unavailable; however, the presence unavailable is not delivered, so the recipient sends a receipt, which is not delivered within the sender's timeout period since the sender is now offline.

 |
|    send message                       |
|                                       |
| <------------------------------------ |
|    send presence unavailable          |
|                                       |
  ]]>

In Scenario 6, the use case ends unsuccessfully with message delivery and the recipient generating presence unavailable (because the recipient has gone offline before sending a receipt, the sender cannot be sure that the message has been received).

 |
|    send message                       |
|                                       |
|   x---------------------------------- |
|    send presence unavailable          |
|                                       |
| [trigger timeout]                     |
|                                       |
| ------------------------------------> |
|    re-send message                    |
|                                       |
  ]]>

In Scenario 7, the use case ends unsuccessfully with message delivery and the recipient generating presence unavailable; however, the presence unavailable is not delivered, so the sender retries sending the message and because the recipient is now offline it cannot send a receipt within the sender's timeout period.

In order to make it possible for senders to request, and for recipients to generate, message receipts, we define a new Advanced Message Processing rule: "receipt". In accordance with JEP-0079, we provide the following information about the receipt rule:

The namespace shall be "http://jabber.org/protocol/amp?condition=receipt".
The condition applies only to final receipt by the intended recipient; therefore, the per-hop flag does not apply.
The only defined value of the receipt rule is "received".
This condition is met if a message processing application (client) controlled by the intended recipient has received and processed the message; the term "processed" is understood to include presentation to a human user if appropriate Therefore this specification does not distinguish between delivery and presentation, as was done in &jep0022;. or any other application-specific client-side processing, including generation of an error response if the application determines that the message contents cannot be handled.

The namespace shall be "http://jabber.org/protocol/amp?condition=receipt".
The condition applies only to final receipt by the intended recipient; therefore, the per-hop flag does not apply.
The only defined value of the receipt rule is "received".
This condition is met if a message processing application (client) controlled by the intended recipient has received and processed the message; the term "processed" is understood to include presentation to a human user if appropriate Therefore this specification does not distinguish between delivery and presentation, as was done in &jep0022;. or any other application-specific client-side processing, including generation of an error response if the application determines that the message contents cannot be handled.
Although any defined action may be triggered, the only action needed in order to support message receipts is the "notify" action.

The following is an example of a message that includes a request for return receipt.

My lord, dispatch; read o'er these articles. ]]>

If the recipient supports Advanced Message Processing and the "receipt" rule, it MUST generate a receipt:

]]>

The general business rules specified for Advanced Message Processing in JEP-0079 apply to any rule; in addition, the following business rules apply specifically to the receipt rule:

A sender SHOULD NOT include a request for message receipts when sending a message to the bare JID (&BAREJID;) of the recipient, only when sending to a full JID (&FULLJID;).
A sender SHOULD NOT include a request for message receipts unless it knows (via &jep0030; or &jep0115;) that the intended recipient supports the protocol described herein or unless the use of message receipts is negotiated via &jep0155;.
The sender (i.e., the message generating application controlled by the sender) MUST initiate a timeout upon sending each message, which timeout SHOULD be 30 seconds. If the sender does not receive a message receipt (or failure event) within its timeout period, it MUST re-send the message with an identical value of the XMPP 'id' attribute.
The sender MUST NOT send a large number of retries. How many retries are appropriate depends on how important the message is perceived to be. In any case, a sender SHOULD NOT send more than five retries.
The recipient (i.e., the message processing application controlled by the intended recipient that receives a given message) MUST initiate a timeout upon sending each message receipt, which timeout SHOULD be 60 seconds. If the recipient does not receive a re-sent message within its timeout period, it SHOULD stop waiting for a re-sent message and discard memory of that message ID.
The recipient MUST NOT include a request for message receipts in its acknowledgements. If the sender receives a request for message receipts in an acknowledgement, it MUST NOT acknowledge the acknowledement.
The recipient SHOULD send the message receipt once it has processed the message, which may include presenting it to a human user (e.g., visually or aurally). The receiving application SHOULD NOT require a human user to positively affirm that he or she has read and understood the message before sending the receipt, since this is unnecessarily intrusive in the context of instant messaging.

Naturally, the receipt rule can be combined wiith rules specified in JEP-0079 (e.g., the deliver rule) for more complete reporting.

This document covers one use case: sending messages with return receipt requested, for which succcess is defined as the sender receiving a message receipt. As described above, there are seven possible scenarios. These are described in more detail in the following sections.

In the "happy path", the sender sends the message and the recipient returns a receipt within the sender's timeout period.

My lord, dispatch; read o'er these articles. ]]> ]]>

In this scenario the sender sends the message but it is not received for whatever reason; therefore the sender resends the message after the timeout period expires, the resent message is received, and the recipient returns a receipt within the sender's (second) timeout period.

My lord, dispatch; read o'er these articles. ]]>

The message is not received and the sender does not receive a receipt within the sender's timeout period; therefore the sender resends the message.

My lord, dispatch; read o'er these articles. ]]>

Now the message is received and the recipient returns a receipt.

]]>

In this scenario the sender sends the message and it not received, but the message receipt is not received for whatever reason; therefore the sender resends the message after the timeout period expires, the resent message is received, and the recipient returns a receipt within the sender's (second) timeout period.

My lord, dispatch; read o'er these articles. ]]>

The message is received and the recipient returns a receipt.

]]>

The message receipt is not received by the sender within the sender's timeout period; therefore the sender resends the message.

My lord, dispatch; read o'er these articles. ]]>

The resent message is received and the recipient returns a receipt, which is received by the sender within the sender's (second) timeout period.

]]>

In this scenario the sender sends the message but immediately goes offline. Therefore the recipient MUST NOT send a receipt.

My lord, dispatch; read o'er these articles. ]]> ]]>

The use case ends unsuccessfully, since the sender did not receive a receipt.

In this scenario the sender sends the message but immediately goes offline, however the sender's presence unavailable is not delivered to the recipient so the recipient sends a receipt but the sender's timeout is not triggered.

My lord, dispatch; read o'er these articles. ]]> ]]>

The recipient does not receive the presence unavailable so sends a message receipt.

]]>

However, the sender does not receive the receipt within its timeout period (since it is now offline), so the use case ends unsuccessfully.

In this scenario the sender sends the message but receives unavailable presence from the recipient before receiving a receipt within the timeout period.

My lord, dispatch; read o'er these articles. ]]> ]]>

The use case ends unsuccessfully, since the sender did not receive a receipt.

In this scenario the sender sends the message and the recipient sends unavailable presence before sending a receipt, but the presence unavailable is not delivered so the sender retries but does not receive a receipt since the recipient is now offline; after some number of retries the sender gives up and cannot be sure that the message was ever received.

My lord, dispatch; read o'er these articles. ]]> ]]>

The sender does not receive the presence unavailable so sends a retry.

My lord, dispatch; read o'er these articles. ]]>

After sending some number of retries the sender gives up and the use case ends unsuccessfully.

If a sender wishes to request message receipts, it SHOULD first discover whether the intended recipient supports message receipts. Support can be discovered indirectly via Entity Capabilities or directly via Service Discovery.

If an entity supports Advanced Message Processing, it MUST report that by including a service discovery feature of "http://jabber.org/protocol/amp" as described in JEP-0079:

]]> ... ... ]]>

An entity that supports Advanced Message Processing SHOULD also maintain a service discovery node named "http://jabber.org/protocol/amp", at which it advertises the individual actions and conditions it supports. If an entity supports message receipts, it SHOULD respond to service discovery information requests sent to that node with a reply that includes the 'http://jabber.org/protocol/amp?condition=receipt' condition:

]]> ... ... ]]>

Two entities MAY negotiate the use of message receipts for a given session using Chat Session Negotiation. The parameter to be negotiated is named "http://jabber.org/protocol/amp?condition=receipt". Its use is illustrated in the following examples.

ffd7076498744578d10edabfe7f4a866 http://jabber.org/protocol/chatneg true 0 ]]> ffd7076498744578d10edabfe7f4a866 http://jabber.org/protocol/chatneg true 1 ]]>

It is possible for a recipient to leak its presence when returning message receipts; therefore, a recipient SHOULD NOT return message receipts to senders who are not otherwise authorized to view its presence.

No interaction with &IANA; is necessary as a result of this document.

The ®ISTRAR; maintains a registry of Advanced Message Processing <rule/> conditions (see &CONDITIONS;). The Registrar shall add the following condition to the registry:


  receipt
  http://jabber.org/protocol/amp?condition=receipt
  false
  received
  
    The condition is met if a message processing application (client)
    controlled by the intended recipient has received and processed
    the message, including presentation to a human user if appropriate.
  
  JEP-xxxx

    ]]>

&jep0068; defines a process for standardizing the fields used within Data Forms qualified by a particular namespace and the Jabber Registrar maintains a registry of such fields (see &FORMTYPES;). The Registrar shall add the following field for use in Chat Session Negotiation forms:


  http://jabber.org/protocol/chatneg
  

      ]]>

Thanks to Joe Kemp for his input.