[Standards-JIG] Request for commentary: How to best implement a PEP node which contains multiple items?

[Nick Parker]

Hello, a few months ago I submitted an XEP for file sharing between 
Jabber users. After a busy semester I have resumed work on the XEP, 
namely by implementing it with PEP support. One question that I've run 
into is the issue of how the PEP node should contain files. Here is a 
list of some of the options that I've considered, seeking your 
commentary on which one looks like the best implementation that still 
follows the rules of PEP/Pubsub.

Situation: Juliet wants to publish a list of files to her friends as a 
PEP node (or several PEP nodes, if option 2 or 3 are used). Here are the 
ways I've thought of organizing the nodes:

---

1) One monolithic PEP node containing all files (where each file is an 
"item" as defined in the PEP spec)

Good: Simple. Follows existing PEP spec to the letter

Bad: Doesn't allow any granularity as far as which users can see which 
files. Access is provided on an all-or-nothing basis, since PEP 
determines permissions per node, rather than per item within the node.

2) Many PEP nodes, each can contain any number of files

Good: Versatile. User can define different arbitrary lists (one list per 
PEP node), and can set permissions on a per-list basis.

Bad: Does PEP support multiple nodes of the same type? If not, should it?

3) Many PEP nodes, where each represents a single file

Good: Total granularity of who can access which files.

Bad: Same as #2. Might also be a little bandwidth intensive if many 
files are being shared. If several get updated, all subscribers are 
notified for EACH FILE, with no grouping.

I'm leaning towards option 2, as it balances between the best of both 
worlds, but the PEP spec is vague as to whether the server can hold 
multiple nodes of the same type, so it might not be legal with the 
current spec. However, I haven't read the PubSub spec too closely, so it 
might be legal via that.

---

In addition to the above options, there is also this question: Should 
the list of shared files be stored on the PEP server, or should it be 
kept on the sharing client? If the list is stored on the server, then 
the server effectively has knowledge of all clients' shared files, which 
users may consider to be a breach of privacy.
To avoid this, I thought of using the PEP node(s) as merely pointers to 
the actual file list, which is stored on the sharing client and sent to 
permitted users when requested directly. However, this brings up an 
issue with synchronization of permissions between the sharing client and 
the PEP server (ensuring that both agree as to which users have access 
to which lists).

Thanks for whatever thoughts you have!

Nick