forked from xsf/xeps
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathxep-0175.xml
197 lines (197 loc) · 10.2 KB
/
xep-0175.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>Best Practices for Use of SASL ANONYMOUS</title>
<abstract>This document specifies best practices for use of the SASL ANONYMOUS mechanism in the context of client authentication with an XMPP server.</abstract>
&LEGALNOTICE;
<number>0175</number>
<status>Active</status>
<type>Informational</type>
<sig>Standards</sig>
<approver>Council</approver>
<dependencies>
<spec>XMPP Core</spec>
</dependencies>
<supersedes/>
<supersededby/>
<shortname>N/A</shortname>
&stpeter;
<revision>
<version>1.2</version>
<date>2009-09-30</date>
<initials>psa</initials>
<remark><p>Provided more detailed recommendations regarding usage restrictions for anonymous users, including the concept of different deployment types; added note about the account/anonymous service discovery identity.</p></remark>
</revision>
<revision>
<version>1.1</version>
<date>2007-11-07</date>
<initials>psa</initials>
<remark><p>Recommended that node identifier be a UUID; recommended that trace data not be included.</p></remark>
</revision>
<revision>
<version>1.0</version>
<date>2006-09-20</date>
<initials>psa</initials>
<remark><p>Per a vote of the Jabber Council, advanced status to Active.</p></remark>
</revision>
<revision>
<version>0.1</version>
<date>2006-02-09</date>
<initials>psa</initials>
<remark><p>Initial version; modified flow to remove unecessary challenge.</p></remark>
</revision>
<revision>
<version>0.0.1</version>
<date>2006-01-24</date>
<initials>psa</initials>
<remark><p>First draft.</p></remark>
</revision>
</header>
<section1 topic='Introduction' anchor='intro'>
<p>&xmppcore; allows XMPP server implementations to support any SASL mechanism (see &rfc4422;) when authenticating clients. This document provides recommendations regarding use of the SASL ANONYMOUS mechanism (see &rfc4505;) in XMPP systems.</p>
</section1>
<section1 topic='Deployment Types' anchor='deployments'>
<p>XMPP server implementations can be deployed in a variety of settings. Although it is difficult to provide recommendations for every kind of XMPP deployment, this document attempts to strike a balance between more and less controlled settings by defining three different deployment types:</p>
<ul>
<li>Public deployments, such as well-known instant messaging (IM) services on the open Internet.</li>
<li>Private deployments, such as enterprise IM services, technical support departments, and helplines.</li>
<li>Specialized deployments that typically will be accessed in a controlled fashion, such as gaming services, members-only websites, and applications that are not used directly by human users.</li>
</ul>
</section1>
<section1 topic='Recommendations' anchor='recommendations'>
<p>An XMPP server implementation SHOULD NOT enable the SASL ANONYMOUS mechanism by default, but instead SHOULD force the administrator of a given service to explicitly enable support in the context of that deployment.</p>
<p>When a client authenticates using SASL ANONYMOUS, an XMPP server SHOULD assign a temporary, unique bare JID &LOCALBARE; to the client. Although the method for ensuring the uniqueness of the localpart is a matter of implementation, it is RECOMMENDED for the localpart to be a UUID as specified in &rfc4122;.</p>
<p>Although <cite>RFC 4505</cite> allows the client to provide so-called "trace data" when authenticating via SASL ANONYMOUS, it is NOT RECOMMENDED for the client to include trace data as the XML character data of the <auth/> element (instead, the <auth/> element SHOULD be empty). However, if trace data is included, the server MUST NOT use it for any purpose other than tracing (e.g., not use it as the resource identifier of the anonymous user's full JID).</p>
<p>Because an anonymous user is unknown to the server, the server SHOULD appropriately restrict the user's access in order to limit the possibility of malicious behavior (such as denial of service attacks as described in &xep0205;), especially on public deployments. The following restrictions are encouraged on public deployments. Administrators of private deployments and specialized deployments are advised to take these restrictions into account when configuring their services, but can reasonably relax these restrictions if they have appropriate access controls in place or their deployment requirements cannot be met using the more restrictive profile applied in public deployments.</p>
<ol start='1'>
<li><p>During resource binding, the server MAY ignore the resource identifier provided by the client (if any) and instead assign a resource identifier that it generates on behalf of the client.</p></li>
<li><p>The server SHOULD NOT allow the client to initiate communication with entities hosted at remote servers.</p></li>
<li><p>The server MAY allow the client to establish relationships with local services and users; such relationships might include presence subscriptions and roster additions (see &xmppim;), &xep0045; registrations, and &xep0060; subscriptions. (Note that allowing presence subscriptions and roster additions can create a sub-optimal user experience for the added contacts.) However, if the server permits such relationships, it MUST cancel them when the client's session ends.</p></li>
<li><p>The server MAY allow the client to store information on the server for the purpsoe of providing an optimal user experience (e.g., storage of client preferences using &xep0049;). However, if the server allows this, it SHOULD remove such information when the client's session ends.</p></li>
<li><p>The server SHOULD NOT allow the client to send large numbers of XMPP stanzas or otherwise use large amounts of system resources (e.g., by binding multiple resource identifiers or creating multiple &xep0065; sessions).</p></li>
</ol>
</section1>
<section1 topic='Protocol Flow' anchor='flow'>
<p>The RECOMMENDED protocol flow following TLS negotiation (refer to <cite>RFC 3920</cite>) is as follows:</p>
<ol>
<li>
<p>Client initiates stream to server.</p>
<example caption="Stream initiation"><![CDATA[
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client'
to='example.com'
version='1.0'>
]]></example>
</li>
<li>
<p>Server replies with stream header.</p>
<example caption="Stream header reply"><![CDATA[
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client'
id='c2s_234'
from='example.com'
version='1.0'>
]]></example>
</li>
<li>
<p>Server advertises stream features.</p>
<example caption="Stream features advertisement"><![CDATA[
<stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>ANONYMOUS</mechanism>
</mechanisms>
</stream:features>
]]></example>
</li>
<li>
<p>Client requests SASL ANONYMOUS mechanism.</p>
<example caption="Requesting SASL ANONYMOUS"><![CDATA[
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='ANONYMOUS'/>
]]></example>
</li>
<li>
<p>Server sends <success/>.</p>
<example caption="Sending success"><![CDATA[
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
]]></example>
</li>
<li>
<p>Client opens new stream.</p>
<example caption="Initiating a new stream"><![CDATA[
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client'
to='example.com'
version='1.0'>
]]></example>
</li>
<li>
<p>Server tells client that resource binding is required.</p>
<example caption="Stream header reply with features"><![CDATA[
<stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
xmlns='jabber:client'
id='c2s_345'
from='example.com'
version='1.0'>
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
</stream:features>
]]></example>
</li>
<li>
<p>Client requests that server create a resource for it.</p>
<example caption="Requesting resource creation"><![CDATA[
<iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
</iq>
]]></example>
</li>
<li>
<p>Server replies with full JID.</p>
<example caption="Server informs client of full JID"><![CDATA[
<iq type='result' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>[email protected]/2384F02A7E01</jid>
</bind>
</iq>
]]></example>
</li>
</ol>
</section1>
<section1 topic='Service Discovery' anchor='disco'>
<p>A server MUST reply to a &xep0030; information ("disco#info") request sent to the bare JID &LOCALBARE; of the user with an identity of "account/anonymous", as shown in the following example.</p>
<example caption="Server informs client of full JID"><![CDATA[
<iq from='[email protected]'
id='kj37vd95'
to='[email protected]/foo'
type='result'>
<query xmlns='http://jabber.org/protocol/disco#info'>
<identity category='account' type='anonymous'/>
<feature var='http://jabber.org/protocol/disco#info'/>
<feature var='http://jabber.org/protocol/disco#items'/>
</query>
</iq>
]]></example>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>The security considerations discussed in <cite>RFC 3920</cite> and <cite>RFC 4505</cite> apply to the use of SASL ANONYMOUS in XMPP; specific suggestions regarding usage restrictions for anonymous users are provided under the <link url='#rec'>Recommendations</link> section of this document.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>This document requires no interaction with &IANA;.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>This document requires no interaction with the ®ISTRAR;.</p>
</section1>
<section1 topic='Acknowledgements' anchor='ack'>
<p>Thanks to Dave Cridland, Tuomas Koski, Jack Moffitt, Andy Skelton, and Kurt Zeilenga for their feedback.</p>
</section1>
</xep>