No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

xep-0383.xml 9.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258
  1. <?xml version='1.0' encoding='UTF-8'?>
  2. <!DOCTYPE xep SYSTEM 'xep.dtd' [
  3. <!ENTITY % ents SYSTEM 'xep.ent'>
  4. %ents;
  5. ]>
  6. <?xml-stylesheet type='text/xsl' href='xep.xsl'?>
  7. <xep>
  8. <header>
  9. <title>Burner JIDs</title>
  10. <abstract>
  11. A mechanism by which users may request anonymous, ephemeral "burner" JIDs.
  12. </abstract>
  13. &LEGALNOTICE;
  14. <number>0383</number>
  15. <status>Deferred</status>
  16. <type>Standards Track</type>
  17. <sig>Standards</sig>
  18. <approver>Council</approver>
  19. <dependencies>
  20. <spec>XMPP Core</spec>
  21. <spec>RFC 4422</spec>
  22. </dependencies>
  23. <supersedes/>
  24. <supersededby/>
  25. <shortname>burner</shortname>
  26. &sam;
  27. <revision>
  28. <version>0.1.1</version>
  29. <date>2017-01-28</date>
  30. <initials>ssw</initials>
  31. <remark><p>Improve security considerations.</p></remark>
  32. </revision>
  33. <revision>
  34. <version>0.1</version>
  35. <date>2016-12-07</date>
  36. <initials>XEP Editor: ssw</initials>
  37. <remark><p>Initial version approved by the council.</p></remark>
  38. </revision>
  39. </header>
  40. <section1 topic='Introduction' anchor='intro'>
  41. <p>
  42. In many XMPP applications it is desirable to be able to act anonymously to
  43. prevent leaking personally identifiable information (PII) to a third party.
  44. Traditionally this is accomplished using SASL authentication and the
  45. ANONYMOUS mechanism as detailed in &xep0175;, however, the ANONYMOUS
  46. mechanism is in reality an authorization mechanism and does not provide
  47. authentication of users.
  48. </p>
  49. <p>
  50. This specification solves these problems by decoupling anonymous identity
  51. management from authentication (auth) and authorization (authz).
  52. This allows logged in users (authenticated or anonymous at the server
  53. operators disgression) to request a new temporary identifier, a "burner"
  54. JID, which may be used by its owner to construct a new session with the
  55. server that is authorized to communicate anonymously with third parties and
  56. is (optionally) locally authenticated.
  57. </p>
  58. </section1>
  59. <section1 topic='Glossary' anchor='glossary'>
  60. <dl>
  61. <di>
  62. <dt>Burner JID</dt>
  63. <dd>
  64. A temporary JID that is not valid for the purpose of authentication but
  65. which may be authorized by an existing pre-authenticated session.
  66. </dd>
  67. </di>
  68. <di>
  69. <dt>Ephemeral identity</dt>
  70. <dd>
  71. The identity of a user on the server comprising a burner JID and any
  72. other associated data.
  73. </dd>
  74. </di>
  75. <di>
  76. <dt>Authentication identity</dt>
  77. <dd>
  78. The users normal identity and JID which they use to authenticate with
  79. the server and create new XMPP sessions.
  80. </dd>
  81. </di>
  82. </dl>
  83. </section1>
  84. <section1 topic='Use Cases' anchor='usecases'>
  85. <ul>
  86. <li>
  87. As a user concerned about spam I want to join a public chat room
  88. anonymously to prevent JID harvesting.
  89. </li>
  90. <li>
  91. As the author of a social website I want to allow users to create
  92. ephemeral identities which can be used to contact them even if they have
  93. not granted access to their personal information.
  94. </li>
  95. <li>
  96. As a server operator I want to allow users to act anonymously, but also
  97. want a way to rate limit the creation of ephemeral identities associated
  98. with a given authentication identity.
  99. </li>
  100. </ul>
  101. </section1>
  102. <section1 topic='Business Rules' anchor='rules'>
  103. <p>
  104. The user requests an ephemeral identity from the server or another XMPP
  105. service by sending an IQ containing an "identity" payload qualified by the
  106. urn:xmpp:burner:0 namespace.
  107. </p>
  108. <example caption='User requests ephemeral identity'><![CDATA[
  109. <iq from='caiusmarcius@example.net/corioli'
  110. id='h7ns81g'
  111. to='example.net'
  112. type='get'>
  113. <identity xmlns='urn:xmpp:burner:0'/>
  114. </iq>]]></example>
  115. <p>
  116. If the service wishes to issue an ephemeral identity to the user it replies
  117. with a new burner JID:
  118. </p>
  119. <example caption='Server issues burner JID'><![CDATA[
  120. <iq from='example.net'
  121. id='h7ns81g'
  122. to='caiusmarcius@example.net/corioli'
  123. type='result'>
  124. <identity xmlns='urn:xmpp:burner:0'>
  125. <jid>
  126. hfgnINTSA-ciCLz6NhTtCD5Jr0k:1477672278884j@example.net
  127. </jid>
  128. </identity>
  129. </iq>]]></example>
  130. <p>
  131. The burner JID MUST be a bare JID.
  132. Burner JIDs are not valid for the purpose of authentication, but may be
  133. authorized to perform actions.
  134. To use the burner JID the client then attempts to establish a new session
  135. with the server using the account that requested the burner JID as the
  136. authentication identity and the burner JID as the authorization identity as
  137. defined in &rfc4422; &sect;2. If the server does not support SASL, or does
  138. not support any SASL mechanisms that support authorization identities,
  139. burner JIDs cannot be used.
  140. </p>
  141. </section1>
  142. <section1 topic='Determining Support' anchor='support'>
  143. <p>
  144. Services that support issuing burner JIDs MUST advertise the fact in
  145. responses to &xep0030; "disco#info" requests by returning an identity of
  146. "authz/ephemeral":
  147. </p>
  148. <example caption='Service responds to disco#info query'><![CDATA[
  149. <iq type='result'
  150. from='muc.example.net'
  151. to='caiusmarcius@example.net/corioli'
  152. id='k3hs5174'>
  153. <query xmlns='http://jabber.org/protocol/disco#info'>
  154. <identity type='im' name='MyServer' category='server'/>
  155. <identity type='pep' name='MyServer' category='pubsub'/>
  156. <identity type='ephemeral' category='authz'/>
  157. <feature var='http://jabber.org/protocol/disco#info'/>
  158. <feature var='http://jabber.org/protocol/disco#items'/>
  159. <feature var='http://jabber.org/protocol/muc'/>
  160. …]]></example>
  161. </section1>
  162. <section1 topic='Implementation Notes' anchor='impl'>
  163. <p>
  164. It may be impractical to store verification information for every burner JID
  165. issued by the system.
  166. To this end servers that implement this specification MAY choose to encode
  167. information into the localpart of issued burner JIDs which can be verified
  168. when a user attempts to authorize a new session to use the burner JID.
  169. If an implementation chooses to do this it is RECOMMENDED that an
  170. &nistfips198-1; be used.
  171. This HMAC MAY include the JID of the associated authentication identity, an
  172. expiration or issued time for the burner JID, session information, TLS
  173. channel binding data, or any other information the server wishes to verify.
  174. The format of this key or its input values is left as an implementation
  175. decision.
  176. </p>
  177. <p>
  178. As with persistent JIDs, the client MUST NOT assign any meaning to the
  179. localpart or resourcepart of a burner JID.
  180. </p>
  181. </section1>
  182. <section1 topic='Security Considerations' anchor='security'>
  183. <p>
  184. To prevent burner JIDs from being abused for spamming, implementations MAY
  185. rate limit all burner JIDs in use by an authn identity as a single unit.
  186. However, be advised that this may provide a third party that can monitor
  187. traffic patterns with the ability to determine what burner JIDs belong to
  188. the same user.
  189. To prevent a burner JIDs authn identity from being discovered the same way,
  190. burner JIDs SHOULD NOT share a rate limit with their authn identity.
  191. </p>
  192. <p>
  193. If TLS channel binding information is encoded in the local part of the
  194. burner JID it is RECOMMENDED that the tls-unique channel binding value be
  195. used as defined by &rfc5929; &sect;3.
  196. Note that unless the master-secret fix from &rfc7627; has been implemented
  197. channel binding information does not include enough context to successfully
  198. verify the binding when resuming a TLS session.
  199. </p>
  200. <p>
  201. Implementations that choose to encode information in the localpart of burner
  202. JIDs should take care when choosing a hash function.
  203. For current recommendations see &xep0300;.
  204. </p>
  205. </section1>
  206. <section1 topic='IANA Considerations' anchor='iana'>
  207. <p>This docment requires no interaction with the &IANA;.</p>
  208. </section1>
  209. <section1 topic='XMPP Registrar Considerations' anchor='registrar'>
  210. <section2 topic='Service Discovery Category/Type' anchor='registrar-disco'>
  211. <p>
  212. Upon advancement of this proposal from experimental to draft status the
  213. &REGISTRAR; will include a category of "authz" in its registry at
  214. &DISCOCATEGORIES;.
  215. The registrar will also add a value of "ephemeral" to that category.
  216. The registry submission is as follows:
  217. </p>
  218. <code><![CDATA[
  219. <category>
  220. <name>authz</name>
  221. <desc>Services and nodes that provide authorization identities.</desc>
  222. <type>
  223. <name>ephemeral</name>
  224. <desc>
  225. An authorization service that provides ephemeral identities.
  226. </desc>
  227. <doc>XEP-0383</doc>
  228. </type>
  229. </category>
  230. ]]></code>
  231. <p>
  232. Future submissions to the XMPP Registrar may register additional types.
  233. </p>
  234. </section2>
  235. <section2 topic='Protocol Namespaces' anchor='registrar-ns'>
  236. <p>This specification defines the following XML namespaces:</p>
  237. <ul>
  238. <li>urn:xmpp:burner:0</li>
  239. </ul>
  240. <p>
  241. Upon advancement of this proposal from experimental to draft status the
  242. registrar will include the foregoing namespaces in its registry at
  243. &NAMESPACES; as governed by &xep0053;.
  244. </p>
  245. <p></p>
  246. </section2>
  247. <section2 topic='Namespace Versioning' anchor='registrar-versioning'>
  248. &NSVER;
  249. </section2>
  250. </section1>
  251. <section1 topic='XML Schema' anchor='schema'>
  252. <p>TODO.</p>
  253. </section1>
  254. <section1 topic='Acknowledgements' anchor='ack'>
  255. <p>The author wishes to thank Philipp Hancke for his feedback.</p>
  256. </section1>
  257. </xep>