%ents; ]>
Burner JIDs A mechanism by which users may request arbitrary anonymizing "burner" JIDs for short term use. &LEGALNOTICE; xxxx ProtoXEP Standards Track Standards Council XMPP Core NOT_YET_ASSIGNED &sam; 0.0.1 2016-10-28 ssw

First draft.

In many XMPP applications it is desirable to be able to act anonymously to prevent leaking personally identifiable information (PII) to a third party. Traditionally this is accomplished using SASL authentication and the ANONYMOUS mechanism as detailed in &xep0175;, however, ANONYMOUS auth provides no mechanism for changing identities (requesting a new JID) without creating a new session, and server operators may not wish to allow anonymous authentication to prvent abuse.

This specification solves these problems by decoupling anonymous identity management from authentication. This allows logged in users (anonymous or otherwise at the server operators disgression) to request a new temporary identifier, a "burner" JID, which may be used by its owner in any context where they would normally use their persistent primary JID.

Burner JID
A temporary JID that is not valid for the purpose of authentication but which may be used in place of the authentication identity in a pre-authenticated session.
Ephemeral identity
The identity of a user on the server comprising a shared secret and any associated burner JIDs or other stored information about the user.
Authentication identity
The users normal identity and JID which they use to autenticate with the server and create new XMPP sessions.

The user requests an ephemeral identity from the server or another XMPP service by sending an IQ containing an "identity" payload qualified by the urn:xmpp:burner:0 namespace.

]]>

If the service wishes to issue an ephemeral identity to the user it replies with a new burner JID:

hfgnINTSA-ciCLz6NhTtCD5Jr0k:1477672278884j@example.net/4db06f06-1ea4-11dc-aca3-000bcd821bfb ]]>

Services that support issuing burner JIDs MUST advertise the fact in responses to &xep0030; "disco#info" requests by returning an identity of "":

…]]>

It may be impractical to store verification information for every burner JID issued by the system. To this end it is RECOMMENDED that the localpart of a burner JID be an HMAC-SHA-2 which includes the users JID or another unique identifier, an expiration or issued time for the burner JID if appropriate, TLS channel binding information, session information, or any other data the server wishes to verify. The format of this key or its input values is left as an implementation decision. As with persistent JIDs, the client MUST NOT assign any meaning to the localpart or resourcepart of a burner JID.

To prevent burner JIDs from being abused for spamming, implementations SHOULD rate limit all burner JIDs in use by a given authentication identity as a single unit.

When a users session ends it is RECOMMENDED that any ephemeral identities associated with their session be purged.

If TLS channel binding information is encoded in the burner JID it is RECOMMENDED that the tls-unique channel binding value be used as defined by &rfc5929; §3. However, for resumed sessions the JIDs SHOULD be considered invalid unless the master-secret fix from &rfc7627; has been implemented because otherwise resumption does not include enough context to successfully verify the binding.

This docment requires no interaction with the &IANA;.

Upon advancement of this proposal from experimental to draft status the ®ISTRAR; will include a category of "authz" in its registry at &DISCOCATEGORIES;. The registrar will also add a value of "ephemeral" to that category. The registry submission is as follows:

authz Services and nodes that provide authorization identities. ephemeral An authorization service that provides ephemeral "burner" identities. XEP-XXXX ]]>

Future submissions to the XMPP Registrar may register additional types.

This specification defines the following XML namespaces:

  • urn:xmpp:burner:0

Upon advancement of this proposal from experimental to draft status the registrar will include the foregoing namespaces in its registry at &NAMESPACES; as governed by &xep0053;.

&NSVER;

TODO.