moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity
xeps/xep-0404.xml

430 lines
19 KiB
XML
Raw Blame History

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<?xml-stylesheet type="text/css" href="xmpp.css"?>
<xep>
<header>
<title>Mediated Information eXchange (MIX): JID Hidden Channels.</title>
<abstract>This document defines an extension to Mediated Information eXchange (MIX) specified in XEP-0369. This specification extends MIX to provide a number of privacy control options and in particular JID Hidden Channels. </abstract>
&LEGALNOTICE;
<number>0404</number>
<status>Deferred</status>
<type>Standards Track</type>
<sig>Standards</sig>
<approver>Council</approver>
<dependencies>
<spec>XMPP Core</spec>
<spec>XMPP IM</spec>
<spec>XEP-0004</spec>
<spec>XEP-0030</spec>
<spec>XEP-0054</spec>
<spec>XEP-0060</spec>
<spec>XEP-0084</spec>
<spec>XEP-0128</spec>
<spec>XEP-0198</spec>
<spec>XEP-0292</spec>
<spec>XEP-0297</spec>
<spec>XEP-0313</spec>
<spec>XEP-0369</spec>
<spec>XEP-0372</spec>
<spec>XEP-0403</spec>
</dependencies>
<supersedes/>
<supersededby/>
<shortname>MIX-ANON</shortname>
&ksmithisode;
&skille;
<revision>
<version>0.3.1</version>
<date>2020-12-01</date>
<initials>gh/@mathieui</initials>
<remark>Various XML example cleanup and fixes</remark>
</revision>
<revision>
<version>0.3.0</version>
<date>2018-06-06</date>
<initials>sek</initials>
<remark><p>
Clarify how PMs can be used in JID Visible channels;
</p></remark>
</revision>
<revision>
<version>0.2.0</version>
<date>2018-06-05</date>
<initials>sek</initials>
<remark><p>
Remove vCard (now in MIX-PRESENCE);
Update PM rules;
Reflect changes in MIX-CORE and MIX-PRESENCE;
New JID map format;
</p></remark>
</revision>
<revision>
<version>0.1.0</version>
<date>2018-05-21</date>
<initials>sek</initials>
<remark><p>
Split out from MIX 0.10.0;
</p></remark>
</revision>
</header>
<section1 topic='Introduction' anchor='intro'>
<p>The Mediated Information eXchange (MIX) protocol framework and core capabilities are specified in &xep0369; (MIX-CORE). This specification provides mechanisms to hide participant JIDs from other participants. This is needed to address privacy concerns and to prevent JID harvesting. It also addresses privacy issues, and gives participants options to control sharing of information.
</p>
</section1>
<section1 topic='Concepts' anchor='concepts'>
<section2 topic="Private Messages" anchor="concepts-pm">
<p>
&xep0369; exposes participant JIDs to other participants, and so messages MAY be sent directly. When JIDs are hidden this is no longer possible.
Private messages MAY be sent to channel participants if allowed by channel policy. Private messages are switched through the channel to hide addressing.
Private messages MAY be switched through the channel when JIDs are visible. This might be useful. for example where sending messages directly is blocked.
</p>
</section2>
<section2 topic="JID Visibility Services" anchor="proxy-jid-services">
<p>
MIX channels have three modes controlling JID visibility, defined to prevent JID harvesting:
</p>
<table caption="JID Visibility Modes">
<tr><th>Mode</th><th>Description</th></tr>
<tr><td>'JID Visible'</td><td>In these channels all participant JIDs are visible to all channel participants.</td></tr>
<tr><td>'JID Maybe Visible'</td><td>In these channels, participant JIDs are visible to all channel participants when participant preference allows.</td></tr>
<tr><td>'JID&nbsp;Hidden'</td><td>In these channels, no participant JIDs are visible to channel participants, but they are visible to channel administrators.</td></tr>
</table>
<p>
A channel participant MAY specify a preference for JID visibility for the channel, with one of the following values:
</p>
<table caption="JID Visibility Preference Options">
<tr><th>Preference</th><th>Description</th></tr>
<tr><td>'Prefer Visible'</td><td>The users JID will be visible if the channel is JID Visible or JID Maybe Visible channels and hidden if the channel is JID Hidden. </td></tr>
<tr><td>'Prefer Hidden'</td><td>The user's JID will be hidden if the channel is JID Maybe Visible and shown if the channel is JID Visible .</td></tr>
<tr><td>'Enforce Hidden'</td><td>The user's JID will never be shown and the user will be removed from channel if channel mode is changed to JID Visible.</td></tr>
<tr><td>'Enforce Visible'</td><td>The users JID will always be shown and the user will be removed from channel if mode is changed to 'JID Hidden'.</td></tr>
</table>
<p>
The default value is 'Prefer Hidden'.
</p>
</section2>
<section2 topic="JID Visibility Architecture" anchor="proxy-jid-architecture">
<p>
MUC hides real JIDs by using Nicks to identify room occupants. This has problems with Nick changing and with multiple active clients for the same user. MIX identifies channel participants by Stable Participant ID. In &xep0369;, the user's JID is in the participants node and is shared in messages and presence. To hide JIDs, this specification makes three key changes
</p>
<ol>
<li>The requirement to include real JID in the participants list is relaxed for channels that are not "JID Visible". For a "JID Hidden" channel, real JIDs MUST NOT be included in the participants list. For a "JID Maybe Visible" channel, real JIDs will be included in the participants node according to participant preference. </li>
<li>JIDs are not shared in messages and presence, unless the recipient has permission to see the JID. Note that in JID Maybe Visible channels, this leads to the creation of two variants of message and presence. The MAM archive MUST hold only the variant without the JID, in order to prevent leaking of this information.</li>
<li>In presence messages, the client resource is anonymized, to prevent leakage of information through the resource.</li>
</ol>
<p>
This change means that the client will not be able to determine real JID of the participant using the participant node, as it can with &xep0369;.
</p>
<p>
It is important that MUC owners and administrators are able to see the JIDs of participants. For this reason, a MIX channel following this specification MUST hold a JID Map node, which gives a mapping between Stable Participant ID and JID.
</p>
</section2>
<section2 topic="Resource Hiding" anchor="proxy-jid-resource">
<p>
When JIDs are being hidden, the resource of the full JIDs stored in the presence node MUST also be anonymized using a similar mechanism.
Where the JID is hidden, the resource is replaced with a generated value. For example, 'hag66@shakespeare.example/UUID-a1j/7533' in the channel coven might have an encoded JID of '123456#coven@mix.shakespeare.example/789'. There is no client visible mapping maintained, as this is not needed. The MIX channel will need to maintain a mapping, to support directly addressing clients, such as for client to client disco#info queries. While an encoded JID is held in the presence node, the mapping to real JID MUST NOT be changed. When adding a client to the presence node, the server MAY add the same anonymized JID as used before by that client, or it MAY create a different anonymized JID.
</p>
</section2>
<section2 topic="JID Map Node" anchor="concepts-nodes">
<p>This specification defines a JID Map node, so that administrators can see JIDs for JID Hidden channels. This node MUST be present for JID Hidden and JID Maybe Visible channels. This node MAY be present for JID Visible channels. If this node is not present, JIDs will all be available in the participants node.</p>
<table caption="JID Map Node">
<tr><td>JID Map</td><td>'urn:xmpp:mix:nodes:jidmap'</td><td>For storing a list of Stable Participant IDs from the participants node with a 1:1 mapping to the corresponding JIDs.</td><td>Automatic</td><td>PubSub</td></tr>
</table>
<p>The JID Map node is used to associate a Stable Participant ID to its corresponding bare JID. It is a PubSub node with the 'node' attribute set to 'urn:xmpp:mix:nodes:jidmap'. The JID Map node MUST have one entry for each entry in the Participants node. This value is added when a user joins the channel and is removed when the user leaves the channel.
Each item is identified by Stable Participant ID mapping to the bare JID. This node is used to give administrator access to JIDs. A MIX server MUST NOT allow this node to be modified directly using pubsub.
Only administrators can subscribe to this node. The JID Map node is a permanent node with one item per participant. Information is stored in a &lt;participant/&gt; element qualified by the 'urn:xmpp:mix:anon:0' namespace. The real JID is stored in a &lt;jid/&gt; child element of the &lt;participant/&gt; element. </p>
<example caption="Value of JID Map Node"><![CDATA[
<items node='urn:xmpp:mix:nodes:jidmap'>
<item id='123456'>
<participant xmlns='urn:xmpp:mix:anon:0'>
<jid>hecate@mix.shakespeare.example</jid>
</participant>
</item>
</items>
]]></example>
</section2>
</section1>
<section1 topic='Use Cases' anchor='usecases'>
<section2 topic="User Preferences and Additional Information" anchor="usecase-visibilty-pref">
<p>A channel MAY store user preferences and parameters with each user. A user JID visibility preference has the following values:
</p>
<ol>
<li>'default'. In this setting, the channel default value will be used. This value is used if another value is not explicitly set. This means JID is visible for a JID Visible channel and JID is hidden for JID Hidden and JID Maybe Visible channels.</li>
<li>'never'. If this is set, JID will never be shared and user will be removed from the channel if its mode changes to JID Visible.</li>
<li>'always'. If this is set, JID will always be shared and users will be removed from the channel if its mode changes to JID Hidden.</li>
<li>'prefer not'. If this is set, JID will only be shared if mode is JID Visible.</li>
</ol>
<p>
The user MAY specify that no Private Messages are to be sent from the channel, and allow vCard retrieval.
</p>
<p>
The user MAY specify that presence is not to be shared, which will prevent the MIX Channel from sending a presence probe for the user on channel start-up. The user will also choose to not include the MIX channel in the user's roster, so that presence will not be updated. Where the channel configuration sets 'Participants Must Provide Presence', this variable MUST be set to 'Share'.
</p>
<p>
The following table sets out the standardized user preference values. A MIX implementation MAY use other values.
</p>
<table caption="Standard User Preference Options">
<tr><th>Option</th> <th>Values</th><th>Default</th></tr>
<tr><td>'JID Visibility'</td> <td>'default', 'never', 'always', 'prefer not'</td> <td>'default'</td></tr>
<tr><td>'Private Messages'</td><td>'allow', 'block'</td> <td>'allow'</td></tr>
<tr><td>'vCard'</td><td>'allow', 'block'</td> <td>'block'</td></tr>
<tr><td>'Presence'</td><td>'share', 'not share'</td><td>'share'</td></tr>
</table>
<p>When joining a channel, the client MAY specify one or more preference options as a &xep0004; form. In the response, the server MUST specify all of the user preferences supported by the server, with default values if the user has not requested a different value. The following example shows joining a channel and setting a preference. The following example shows the message sent from the user's server to the MIX channel, which will have been preceded by a message from the user's client to the user's server.</p>
<example caption="User Joins a Channel and Specifies a preference"><![CDATA[
<iq type='set'
from='hag66@shakespeare.example'
to='coven@mix.shakespeare.example'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<join xmlns='urn:xmpp:mix:anon:0'>
<subscribe node='urn:xmpp:mix:nodes:messages'/>
<subscribe node='urn:xmpp:mix:nodes:presence'/>
<x xmlns='jabber:x:data' type='submit'>
<field var='FORM_TYPE' type='hidden'>
<value>urn:xmpp:mix:anon:0</value>
</field>
<field var='JID Visibility'>
<value>never</value>
</field>
</x>
</join>
</iq>
]]></example>
<p>The following example shows the result of a successful join, which also reports all the user preferences. This example shows the message coming from the MIX channel to the user's server, which will be sent on to the user.</p>
<example caption="Channel Successfully Processes Join and returns the preferences set"><![CDATA[
<iq type='result'
from='coven@mix.shakespeare.example'
to='hag66@shakespeare.example'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<join xmlns='urn:xmpp:mix:anon:0' jid='hag66@shakespeare.example'>
<subscribe node='urn:xmpp:mix:nodes:messages'/>
<subscribe node='urn:xmpp:mix:nodes:presence'/>
<x xmlns='jabber:x:data' type='result'>
<field var='FORM_TYPE' type='hidden'>
<value>urn:xmpp:mix:anon:0</value>
</field>
<field var='JID Visibility'>
<value>never</value>
</field>
<field var='Private Messages'>
<value>allow</value>
</field>
<field var='vCard'>
<value>block</value>
</field>
</x>
</join>
</iq>
]]></example>
<p>The client MAY also query the channel in order to find out which user preferences are supported and the options available. This will allow users to set options not specified in the standard, by providing a form template in the result. The request is encoded as a &lt;user-preference/&gt; child element of &lt;iq/&gt;. &lt;user-preference/&gt; is qualified by the 'urn:xmpp:mix:anon:0' namespace. The result is encoded as a form child element in the &lt;user-preference/&gt; element.</p>
<example caption="User Requests and Recieves Preferences Template Form"><![CDATA[
<iq type='get'
from='hag66@shakespeare.example/UUID-a1j/7533'
to='coven@mix.shakespeare.example'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<user-preference xmlns='urn:xmpp:mix:anon:0'/>
</iq>
<iq type='result'
from='coven@mix.shakespeare.example'
to='hag66@shakespeare.example/UUID-a1j/7533'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<user-preference xmlns='urn:xmpp:mix:anon:0'>
<x xmlns='jabber:x:data' type='form'>
<field var='FORM_TYPE' type='hidden'>
<value>urn:xmpp:mix:anon:0</value>
</field>
<field type='list-single' label='Preference for JID Visibility
var='JID Visibility'>
<option label='JID Never Shown'><value>Never</value></option>
<option label='Default Behaviour'>
<value>default</value>
</option>
<option label='Try not to show JID'>
<value>prefer not</value>
</option>
</field>
<field type='list-single' label='Example Custom Preference'
var='Custom Preference'>
<option label='One Option'><value>a</value></option>
<option label='Another Option'><value>b</value></option>
</field>
</x>
</user-preference>
</iq>
]]></example>
<p>
A user MAY modify preferences using the corresponding set operation. The set MAY specify values for some or all attributes. All attributes are returned in the result.
</p>
<example caption="User Updates Preferences"><![CDATA[
<iq type='set'
from='hag66@shakespeare.example/UUID-a1j/7533'
to='coven@mix.shakespeare.example'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<user-preference xmlns='urn:xmpp:mix:anon:0'>
<x xmlns='jabber:x:data' type='submit'>
<field var='FORM_TYPE' type='hidden'>
<value>urn:xmpp:mix:anon:0</value>
</field>
<field var='JID Visibility'>
<value>never</value>
</field>
<field var='Private Messages'>
<value>allow</value>
</field>
<field var='vCard'>
<value>block</value>
</field>
</x>
</user-preference>
</iq>
<iq type='result'
from='coven@mix.shakespeare.example'
to='hag66@shakespeare.example/UUID-a1j/7533'
id='E6E10350-76CF-40C6-B91B-1EA08C332FC7'>
<user-preference xmlns='urn:xmpp:mix:anon:0'>
<x xmlns='jabber:x:data' type='result'>
<field var='FORM_TYPE' type='hidden'>
<value>urn:xmpp:mix:anon:0</value>
</field>
<field var='JID Visibility'>
<value>never</value>
</field>
<field var='Private Messages'>
<value>allow</value>
</field>
<field var='vCard'>
<value>block</value>
</field>
</x>
</user-preference>
</iq>
]]></example>
</section2>
<section2 topic='Sending Private Messages' anchor='usecase-user-private-messages'>
<p>
Private Messages are used to provide communication with another channel participant through the MIX channel. This may be used where the initiating user does not know the real JID of the channel participant or for other reasons. A message sent through the channel is addressed using the encoded JID of the client to which the message is being sent. Private messages will generally be sent to a bare JID, and this is shown in the following example. Private messages MAY be sent to a full JID.
</p>
<example caption="User Sends a Private Message"><![CDATA[
<message from='hag66@shakespeare.example/UUID-a1j/7533'
to='444456#coven@mix.shakespeare.example'
id='92vax143g'>
<body>Private meeting about Macbeth???</body>
</message>
]]></example>
<p>
The MIX channel will then process the message, to send to the real JID of the recipient. An encoded JID is used to identify the message sender.
</p>
<example caption="MIX Channel Sends Private Message to Recipient"><![CDATA[
<message from='123456#coven@mix.shakespeare.example/9988'
to='hag99@shakespeare.example'
id='92vax143g'>
<body>Private meeting about Macbeth???</body>
</message>
]]></example>
<p> Private Messages MUST NOT be archived by the MIX channel. Private Messages MAY be archived using MAM by the XMPP servers associated with initiator and responder. </p>
</section2>
</section1>
<section1 topic='Internationalization Considerations' anchor='i18n'>
<p>See considerations in &xep0369;.
</p>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>See considerations in &xep0369;.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>None.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>The urn:xmpp:mix namespace needs to be registered.</p>
</section1>
<section1 topic='XML Schema' anchor='schema'>
<p>To be supplied when MIX progresses to proposed standard.</p>
</section1>
<section1 topic='Acknowledgements' anchor='ack'>
<p>See &xep0369; for a list of contributors to the MIX Family of specifications.</p>
</section1>
</xep>
Reference in New Issue View Git Blame Copy Permalink