In addition to the "accept", "otr" and "security" fields specified in Chat Session Negotiation, Alice MUST send to Bob each of the ESession options (see list below) that she is willing to use, in her order of preference (see Mandatory to Implement Technologies). Note: Alice SHOULD NOT include a "reason" field since Aunt Tillie may not be aware the ESession request is not encrypted.

1. The list of Modular Exponential (MODP) group numbers (as specified in &rfc2409; or &rfc3526;) that MAY be used for Diffie-Hellman key exchange (valid group numbers include 1,2,3,4,5,14,15,16,17 and 18)

2. Symmetric block cipher algorithm names

3. Hash algorithm names

4. Signature algorithm names

5. Compression algorithm names

6. The list of stanza types that MAY be encrypted and decrypted

7. Whether or not the other entity MUST send the fingerprint of its public signature-verification key instead of the full key If the entity already possesses one of the other entity's public keys then it is RECOMMENDED that only the fingerprint is requested from the other entity - since this saves bandwidth.

8. The different versions of this protocol that are supported This version of this document describes version 1.0 of this protocol.

9. The minimum number of stanzas that MUST be exchanged before an entity MAY initiate a key re-exchange (1 - every stanza, 100 - every hundred stanzas). Note: This value MUST be less than &twosup32; (see Re-Keying Limits)

Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p). For each MODP group that Alice specifies she MUST perform the following computations to calculate her Diffie-Hellman keys (where n is the number of bits per cipher block for the block cipher algorithm with the largest block size out of those she specified):

1. Generate a secret random number x (where &twosup2n; < x < p - 1)

2. Calculate e = &gsupx; mod p

Alice MUST send all her calculated values of e to Bob (in the same order as the associated MODP groups are being sent). She MUST also specify randomly generated Base64 encoded (in accordance with Section 3 of &rfc3548;) value of &NsubA; (her ESession ID).

If Bob does not want to reveal presence to Alice for whatever reason then Bob SHOULD return no response or error.

If Bob supports none of the options for one or more ESession fields, then he SHOULD return a ¬acceptable; error and SHOULD specify the field(s) with unsupported options in a comma-separated list in the XMPP <text/> element:

Either Bob or Alice MAY attempt to initiate a new ESession after any error during the negotiation process. However, both MUST consider the previous negotiation to have failed and MUST discard any information learned through the previous negotiation.

If Bob is unwilling to start an ESession, but he is ready to initiate a one-to-one chat session with Alice (see Chat Session Negotiation), and if Alice included an option for the "security" field with the value "none" or "c2s", then Bob SHOULD accept the Chat Session and terminate the ESession negotiation by specifying "none" or "c2s" for the value of the "security" field in his response.

If Bob supports one or more of each of Alice's ESession options and is willing to start an ESession with Alice, then he MUST select one of the options from each of the ESession fields he received from Alice including one hash algorithm ("HASH"), and one of the MODP groups and Alice's corresponding value of e (see &rfc3766; or RFC 3526 for recommendations regarding balancing the sizes of symmetric cipher blocks and Diffie-Hellman moduli).

Each MODP group has at least two well known constants: a large prime number p, and a generator g for a subgroup of GF(p). Bob SHOULD return a &feature; error unless: 1 < e < p - 1

Bob MUST then perform the following computations (where n is the number of bits per cipher block for the selected block cipher algorithm):

1. Generate a random number &NsubB; (his ESession ID)

2. Generate an n-bit random number &CsubA; (the block cipher counter for stanzas sent from Alice to Bob)

3. Set &CBeCAx2n1; (where &CsubB; is the block counter for stanzas sent from Bob to Alice)

4. Generate a secret random number y (where &twosup2n; < y < p - 1)

5. Calculate d = &gsupy; mod p

6. Calculate K = HASH(&esupy; mod p) (the shared secret)

Bob MUST use the shared secret ("K") and the selected hash algorithm ("HASH") to generate two sets of three keys, one set for each direction of the ESession.

For stanzas that Alice will send to Bob, the keys are calculated as:

1. Encryption key &KCsubA; = HASH(K, 0)

2. Integrity key &KMsubA; = HASH(K, 2)

3. SIGMA key &KSsubA; = HASH(K, 4)

For stanzas that Bob will send to Alice the keys are calculated as:

4. Encryption key &KCsubB; = HASH(K, 1)

5. Integrity key &KMsubB; = HASH(K, 3)

6. SIGMA key &KSsubB; = HASH(K, 5)

Once the sets of keys have been calculated the value of K MUST be securely destroyed.

Note: As many bits of key data as are needed for each key MUST be taken from the least significant bits of the hash output. When negotiating a hash, entities MUST ensure that the hash output is no shorter than the required key data. For algorithms with variable-length keys the maximum length (up to the hash output length) SHOULD be used.

Bob MUST perform the following steps before he can prove his identity to Alice while protecting it from third parties.

1. Select &pubKeyB;, the public key Alice should use to authenticate his signature with the signature algorithm he selected ("SIGN").

2. Set &formB; to the Normalized content of the reponse data form he will send back to Alice (including his responses for all the fields he received from Alice).

   Bob MUST encapsulate the Base64 encoded values of &CsubA; and Alice's &NsubA; in two new 'counter' and 'nonce' fields and add them to &formB;. Note: The 'pk_hash' field specifies whether or not Alice MUST send the fingerprint of her public signature-verification key instead of her full key. Note: The value of the 'rekey_freq' field MUST be less than &twosup32; and greater than or equal to the value specified by Alice. Note: Bob MUST place his Base64 encoded values of &NsubB; and d in the 'my_nonce' and 'keys' fields. Bob MUST NOT return Alice's values of e.

3. Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC (as defined in Section 2 of &rfc2104;) of the resulting byte string using the selected hash algorithm ("HASH") and the key &KSsubB;.

   &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})

4. Calculate &signB;, the signature of the HMAC result using his private signature key that corresponds to &pubKeyB;

   &signB; = SIGN(&signKeyB;, &macB;)

5. If the value of the 'pk_hash' field that Alice sent Bob was true then Bob SHOULD set &pubKeyB; to the key's fingerprint

   if (pk_hash) &pubKeyB; = HASH(&pubKeyB;)

6. Concatenate &pubKeyB; and &signB; and encrypt the resulting byte string with the agreed algorithm ("CIPHER") in counter mode (see &nistfips800-38a;), using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm).

   &IDB; = CIPHER(&KCsubB;, &CsubB;, {&pubKeyB;, &signB;})

7. Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter &CsubB; before the encryption above using the selected hash algorithm ("HASH") and the integrity key &KMsubB;.

   &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)

Bob responds to Alice by sending her &formB;.

If Bob prefers the RECOMMENDED 3-message ESession negotiation, where Alice's identity is protected from active attacks instead of his own, then he should encapsulate the Base64 encoded values of &IDB; and &MsubB; in data form fields ('identity' and 'mac'), and append the new fields to &formB; before sending it to Alice.

After Alice receives Bob's response, she MUST use the value of d and the ESession options specified in Bob's response to perform the following steps (where p and g are the constants associated with the selected MODP group, HASH is the selected hash algorithm, and n is the number of bits per cipher block for the agreed block cipher algorithm):

1. Return a &feature; error to Bob if she is not prepared to support any of the ESession options specified by Bob (if any of the options were not included in her initial ESession request)

2. Return a &feature; error to Bob unless: 1 < d < p - 1

3. Set &CBeCAx2n1; (where &CsubB; is the block counter for stanzas sent from Bob to Alice)

4. Select her values of x and e that correspond to the selected MODP group (from all the values of x and e she calculated previously)

5. Calculate K = HASH(&dsupx; mod p) (the shared secret)

6. Generate the session keys (&KCsubA;, &KMsubA;, &KSsubA;, &KCsubB;, &KMsubB; and &KSsubB;) in the same way as Bob did (see Generating Session Keys)

If Bob included 'identity' and 'mac' fields in his response then Alice MUST also perform the following steps:

1. Calculate the HMAC of the encrypted identity (&IDB;) and the value of Bob's block cipher counter using HASH and the integrity key &KMsubB;.

   &MsubB; = HMAC(HASH, &KMsubB;, &CsubB;, &IDB;)

2. Return a &feature; error to Bob unless the value of &MsubB; she calculated matches the one she received in the 'mac' field

3. Obtain &pubKeyB; and &signB; by decrypting &IDB; with the agreed symmetric block cipher algorithm ("DECIPHER") in counter mode, using the encryption key &KCsubB; and block counter &CsubB;. Note: &CsubB; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubB; = (&CsubB; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm).

   {&pubKeyB;, &signB;} = DECIPHER(&KCsubB;, &CsubB;, &IDB;)

4. If the value of the 'pk_hash' field she sent to Bob in her ESession Request was true, then Alice SHOULD change the value of &pubKeyB; to be her copy of the public key whose HASH matches the value of &pubKeyB; that she received from Bob. Note: If she cannot find a copy of the public key then Alice MUST terminate the ESession. She MAY then request a new ESession with the 'pk_hash' field set to false.

5. Return a &feature; error to Bob unless she can confirm (or has previously confirmed) that &pubKeyB; really is Bob's public key, for examples, via secure out-of-band communication, or through a third-party authority (see Verifying Keys).

6. Set the value of &formB; to be the Normalized content of the form she received from Bob without any 'identity' or 'mac' fields.

7. Concatenate Alice's ESession ID, Bob's ESession ID, d, &pubKeyB; and &formB;, and calculate the HMAC of the resulting byte string using HASH and the key &KSsubB;.

   &macB; = HMAC(HASH, &KSsubB;, {&NsubA;, &NsubB;, d, &pubKeyB;, &formB;})

8. Return a &feature; error to Bob unless she can use &pubKeyB; with the selected signature verification algorithm ("VERIFY") to confirm that &signB; is the signature of the HMAC result (see Signature Verification).

   VERIFY(&signB;, &pubKeyB;, &macB;)

Alice MUST then prove her identity to Bob while protecting it from third parties. She MUST perform the steps equivalent to those Bob performed above (see Hiding Identity for a more detailed description). Alice's calculations are summarised below (pay attention to the order of &NsubB; and &NsubA; when calculating &macA;). Note: &formA; is the Normalized content of the ESession Request data form that she sent to Bob previously.

Alice MUST send the Base64 encoded values of &NsubB;, &IDA; and &MsubA; to Bob. If Alice has already confirmed Bob's identity (i.e. if Bob included 'identity' and 'mac' fields in his response), then she MAY also send encrypted content (see Exchanging Stanzas) in the same stanza as the proof of her identity.

If Alice also includes a 'terminate' field with its value set to "1" or "true" (see ESession Termination) within the form then the ESession is terminated immediately. Note: This special case, where a single stanza is encrypted and sent in isolation, is equivalent to object encryption (or object signing if no encryption is specified) and offers several significant advantages over non-session approaches - including perfect forward secrecy.

After receiving Alice's identity Bob MUST verify it by performing steps equivalent to those described in the section Verifying Bob's Identity above. Some of Bob's calculations are summarised below (pay attention to the order of &NsubB; and &NsubA; when calculating &macA;). Note: &formA; is the Normalized content of the ESession Request data form (the first form) that Alice sent him. Note: If Bob sends an error to Alice then he SHOULD ignore any encrypted content he received in the stanza.

If Alice has already confirmed Bob's identity (i.e. if Bob included 'identity' and 'mac' fields in his response above), then the ESession negotiation is complete.

Otherwise, one more step is necessary. Bob MUST send Alice the Base64 encoded values of &NsubA;, &IDB; and &MsubB; that he calculated previously (see Hiding Identity). Note: He MAY also send encrypted content (see Exchanging Stanzas) in the same stanza.

After receiving Bob's identity Alice MUST verify it by performing steps described in the section Verifying Bob's Identity above. Note: If Alice sends an error to Bob then she SHOULD ignore any encrypted content she received in the stanza.

Once ESession negotiation is complete, Alice and Bob MUST exchange only encrypted forms of the one-to-one stanza types they agreed upon (e.g., &MESSAGE; and &IQ; stanzas).

Either Alice or Bob MAY send encrypted stanzas. Here we describe the process where Alice sends Bob an encrypted stanza. She MUST only encrypt the XML content that would normally be ignored by the intermediate servers. She MUST NOT encrypt stanza wrapper elements or Advanced Message Processing elements.

Alice MUST perform the following steps to encrypt the XML content. Note: if there is no XML content to be encrypted (e.g. if this is an empty Re-Keying stanza), then &CsubA; MUST be incremented by 1 (see below), and only the last two steps (normalization and MAC calculation) should be performed.

1. Serialize the XML content she wishes to send into an array of UTF-8 bytes, m. Although counter mode encryption requires no padding, implementations MAY still disguise the length of m by appending a random number of white-space characters.

2. Compress m using the negotiated algorithm. If a compression algorithm other than 'none' was agreed, the compression context is typically initialized after key exchange and passed from one stanza to the next, with only a partial flush at the end of each stanza. If Bob were to receive a stanza out-of-order, then he would fail to decrypt the stanza and be forced to terminate the ESession.

   m_compressed = compress(m)

3. Encrypt the data with the agreed algorithm in counter mode, using the encryption key &KCsubA;. Note: &CsubA; MUST be incremented by 1 for each encrypted block or partial block (i.e. &CsubA; = (&CsubA; + 1) mod 2n, where n is the number of bits per cipher block for the agreed block cipher algorithm). Note: if the block cipher algorithm 'none' was agreed (see Unencrypted ESessions) then encryption MUST NOT be performed and &CsubA; MUST be incremented by 1 (for replay protection).

   m_final = encrypt(&KCsubA;, &CsubA;, m_compressed)

4. Alice MUST now create the Normalized XML content of the <encrypted/> XML element. If there is encrypted XML content, the XML MUST include the Base64 encoded value of m_final wrapped in a <data/> element. Note: the <encrypted/> element MAY also contain one <key/> element and one or more <old/> elements (see Re-Keying).

   m_content = '<data> ** Base64 encoded m_final ** </data>'

5. The XML content and the value of Alice's block cipher counter &CsubA; before the data was encrypted, are now processed through the HMAC algorithm, along with the agreed hash algorithm ("HASH") and the integrity key &KMsubA;.

   a_mac = HMAC(HASH, &KMsubA;, m_content, &CsubA;)

Before sending the stanza to Bob, Alice MUST wrap m_content and the Base64 encoded value of a_mac (wrapped in a <mac/> element) inside an <encrypted/> element and insert it into the stanza in place of the original content. There MUST NOT be more than one <encrypted/> element per stanza.

When Bob receives the stanza from Alice, he extracts and Base64 decodes the values of m_final and a_mac from the content and performs the following steps.

1. Remove the <mac/> element from the <encrypted/> element and Normalize the remaining XML content. Calculate the Message Authentication Code (MAC) for the content.

   b_mac = HMAC(HASH, &KMsubA;, m_content, &CsubA;)

2. Verify that b_mac and a_mac match. If they are not identical, the content has been tampered with and Bob MUST terminate the ESession, he MAY send a ¬acceptable; error to Alice. If Bob were to receive a stanza out-of-order, then the MACs would not match because the values of &CsubA; would not be synchronized.

3. Decrypt m_final using the agreed algorithm, &KCsubA; and &CsubA;. Note: &CsubA; MUST be incremented by 1 for each decrypted block (see Encryption). Note: if the block cipher algorithm 'none' was agreed decryption MUST NOT be performed and &CsubA; MUST be incremented by 1.

   m_compressed = decrypt(&KCsubA;, &CsubA;, m_final)

4. Decompress m_compressed using the negotiated algorithm (usually 'none').

   m = decompress(m_compressed)

5. Replace the <encrypted/> element in the serialized XML stanza with m and feed the stanza into an XML parser. If the parser returns an XML format error then Bob MUST terminate the ESession, he MAY send a ¬acceptable; error to Alice. Bob MUST NOT send a stream error to his server since intermediate entities are not responsible for encoded content.

Either Alice or Bob MAY initiate a key re-exchange. Here we describe the process initiated by Alice. First she MUST calculate new values for the encryption parameters:

1. Generate a secret random number x (where &twosup2n; < x < p - 1, where n is the number of bits per cipher block for the agreed block cipher algorithm)

2. Calculate e = &gsupx; mod p

3. Calculate K = &dsupx; mod p (the new shared secret)

4. Calculate &KCsubA;, &KMsubA;, &KCsubB;, &KMsubB; from K (see Generating Session Keys)

To avoid extra stanzas, the new value of e SHOULD be sent to Bob along with an encrypted stanza. Note: Alice MUST NOT use the new &KCsubA; and &KMsubA; to encrypt this stanza or to calculate the MAC. However, she MUST use them when sending subsequent stanzas.

Note: There is no need for Alice to provide a signature because the calculation of the MAC includes the new value of e, see Exchanging Stanzas).

Note: Bob may not receive the new key before he sends his next stanzas (they may cross in transit). So, before destroying her old values of &KCsubB; and &KMsubB;, Alice MUST wait until either she receives a stanza encrypted with the new key, or a reasonable time has passed (60 seconds should cover a network round-trip and calculations by a constrained client). Similarly she MUST wait before destroying her old value of x, in case Bob sends two stanzas before receiving Alice's new key (the first stanza might include a re-key).

After Bob has received a stanza with a new value of e, has confirmed it is greater than one, and has decrypted the stanza with the old value of &KCsubA;, he MUST securely destroy all copies of &KCsubA; and &KCsubB; and perform the following calculations with the new value of e:

1. Calculate K = &esupy; mod p

2. Calculate &KCsubA;, &KMsubA;, &KCsubB;, &KMsubB; from K (see Generating Session Keys)

He MUST use these new values to encrypt and decrypt all subsequent stanzas. If an entity fails to receive any stanza that includes a new key in the correct order, then it will fail to decrypt the next stanza it receives and be forced to terminate the ESession.

The next time Bob sends Alice a stanza he MUST specify the number of rekeys he has received from her since he sent her his last stanza. He does that by setting the 'rekeys' attribute of the <data/> element. Note: The default value of the 'rekeys' attribute is zero.

When Alice receives the stanza from Bob she MUST use the 'rekeys' attribute to decide which of her values of &KCsubB; and &KMsubB; (or x) she should use to decrypt the stanza - otherwise she would not know if Bob received her rekey(s) before he sent the stanza. Once she is sure Bob has received her rekey(s) she MUST discard all her older values of &KCsubB;, &KMsubB; and x.

Once the expired MAC keys have been published, anyone could create valid arbitrary stanzas with them. This prevents anyone being able to prove the authenticity of a transcript of the ESession in the future.

Either entity MAY publish old values of &KMsubA; and/or &KMsubB; within any encrypted stanza as long as it knows that all the stanzas that MAY use the old values have been received and validated. Note: A 'man-in-the-middle' could delay the delivery of stanzas indefinitely. So, before Alice publishes &KMsubA; (and &KMsubB;), she MUST wait until she has both sent a re-key to Bob and received a stanza from Bob encrypted with her new key. (She MAY also publish &KMsubB; after she has received a re-key from Bob.)

Entities SHOULD ignore any <old/> elements they receive.

Before the signature or MAC of a block of XML is generated or verified, all character data between all elements MUST be removed and the XML MUST be converted to canonical form (see &w3canon;).

All the XML this protocol requires to be signed or MACed is very simple, so in this case, canonicalization SHOULD only require the following changes:

• Set attribute value delimiters to quotation marks (i.e. simply replace all single quotes in the serialized XML with double quotes)
• Impose lexicographic order on the attributes of "field" elements (i.e. ensure "type" is before "var")

Implementations MAY conceivably also need to make the following changes. Note: Empty elements and special characters SHOULD NOT appear in the signed or MACed XML specified in this protocol.

• Ensure there are no character references
• Convert empty elements to start-end tag pairs
• Ensure there is no whitespace except for single spaces before attributes

Before the signature or MAC of a block of XML is generated or verified, the agreed hash algorithm MUST be used to generate the hash of the normalized XML.

The signature generation depends on the type of private key being used.

The signature formats are the same for all public key formats. All integers are stored in big-endian byte order.

The signature verification depends on the type of public key being used.

Weak pseudo-random number generators (PRNG) enable successful attacks. Implementors MUST use a cryptographically strong PRNG to generate all random numbers (see &rfc1750;).

After a key exchange an entity MUST NOT exchange a total of &twosup32; encrypted blocks before it initiates a key re-exchange (see &rfc4344;). Note: This limitation also ensures the same key and counter values are never used to encrypt two different blocks using counter mode (thus preventing simple attacks).

In order to reduce the Perfect Forward Secrecy window of vulnerability, after an extended period of activity, entities SHOULD either re-key or terminate the ESession.

The trust system outlined in this document is based on Alice trusting that the public key presented by Bob is actually Bob's key (and vice versa). Determining this trust may be done in a variety of ways depending on the entities' support for different public key (certificate) formats, signing algorithms and signing authorities. For instance, if Bob publishes a PGP/GPG public key, Alice MAY verify that his key is signed by another key that she knows to be good. Or, if Bob provides an X.509 certificate, she MAY check that his key has been signed by a Certificate Authority that she trusts.

When trust cannot be achieved automatically, methods that are not transparent to the users may be employed. For example, Bob could communicate the SHA-256 fingerprint of his public key to Alice via secure out-of-band communication (e.g. face-to-face). This would enable Alice to confirm that the public key she receives in-band is valid. Note however that very few people bother to verify fingerprints in this way. So this method is exceptionally vulnerable to 'man-in-the-middle' attacks. In order to reduce the window of vulnerability, an entity SHOULD remember the fingerprints of all user-validated public keys and alert the user in the future if ever the fingerprint(s) it stored for an entity do not match any of the received public keys.

Alternatively Alice and Bob could agree a shared secret via secure out-of-band communication, Bob could then use it to create an HMAC of his public key that only Alice could verify.

Note: If no keys are acceptable to Alice (because Alice has never verified any of the keys, and because either the keys are not signed, or Alice does not support the signature algorithms of the keys, or she cannot parse the certificate formats, or she does not recognise the authorities that signed the keys) then, although the ESession can still be encrypted, she cannot be sure she is communicating with Bob.

The block cipher counters maintained implicitly by Alice and Bob (&CsubA; and &CsubB;) prevent stanzas being replayed within any ESession. They ensure that the MAC will be different for all stanzas, even if the HMAC key and the content of the stanza are identical.

Alice and Bob MUST ensure that the value of e or d they provide when negotiating each online ESession is unique. This prevents complete online ESessions being replayed.

Organisations with full disclosure policies may require entities to disable encryption to enable the logging of all messages on their server. Unencrypted ESessions meet all the Security Requirements except for Confidentiality. Unencrypted ESessions enable Alice to to confirm securely with Bob that both client-server connections are secure. i.e. that the value of the 'security' option (as specified in Chat Session Negotiation) has not been tampered with.

If either entity stores a (re-encrypted) transcript of an ESession for future consultation then the Perfect Forward Secrecy offered by this protocol is lost. If the negotiated value of the 'otr' Chat Session Negotiation field is 'true' the entities SHOULD NOT store any part of the ESession content (not even in encrypted form).

Cryptography plays only a small part in an entity's security. Even if it implements this protocol perfectly it may still be vulnerable to other attacks. For examples, an implementation might store ESession keys on swap space or save private keys to a file in cleartext! Implementors MUST take very great care when developing applications with secure technologies.

An implementation of ESession MUST support the Diffie-Hellman Key Agreement and HMAC algorithms. Note: The parameter names mentioned below are related to secure shell; see SSH Transport Layer Encryption Modes for block cipher algorithm details; see the &ianassh; for other names.

Upon approval of this document, the ®ISTRAR; shall register the following namespaces:

• http://jabber.org/protocol/esession
• http://jabber.org/protocol/esession#init

&xep0068; defines a process for standardizing the fields used within Data Forms qualified by a particular namespace. The following fields shall be registered for use in both Encrypted Sessions and Chat Session Negotiation:

1. Standardise on the X.509 public key and signature formats?
2. What challenges exist to make the OTR Gaim Plugin use this protocol natively when talking to Jabber entities? Can these be mitigated by 'non-critical' protocol changes?
3. Would anything in this protocol (e.g., its dependency on in-order stanza delivery) prevent an XMPP entity using it to exchange encrypted messages and presence with a user of a non-XMPP messaging system, assuming that the gateway both supports this protocol and is compatible with a purpose-built security plugin on the other user's client (e.g. a Gaim plugin connects to the gateway via a non-XMPP network)?
4. Could use &xep0013; (FOMR) instead of AMP to prevent any offline ESessions Bob can't decrypt being delivered to him. (Each <item/> that corresponds to an ESession message would have to contain a <ESessionID/> child, to allow Bob to discover which of his stored values of y was used to encrypt the message.)

1. Ask the authors of AMP to explain how to achieve the match_resource functionality specified in XEP-0187.
2. Define names for X.509 SubjectPublicKeyInfo public key formats (different to X.509 certificates). This format must be used when keys are distributed within session negotiation.
3. Add non-repudiable signing option
4. Perhaps the document needs to specify more carefully how block counters are handled between messages, especially in the event of partial blocks?
5. Give examples of specific errors and discuss error scenarios throughout document (e.g., what should Bob do if he is not offline and he receives an offline key exchange stanza?).
6. Define an optional protocol that would allow Alice to store values of &NsubA; and x (and the PKIDs she trusts) 'securely' on her own server (before she goes offline).