XEP-0158 has not been updated (in a major way) since late 2008, and ever
since then, all of the challenge types can be easily broken with a
neural network or ASICs/FPGAs/GPUs (for Hashcash). This makes
out-of-band CAPTCHA sites the only feasible method of fending off bots.
But requiring a user to visit a site to send a message or join a MUC
doesn't make it as seamless for them, Therefore the XEP should be
revamped in a way to still provide a seamless experience while also
providing security against modern attackers.
These are my suggestions in regards to this:
1) Deprecate OCR and recongition-based challenges and switch to more
interactive challenges (such as: pointing to parts of a picture that
matches a specified condition)
2) Add more Proof-of-Work algorithms and possibly deprecate Hashcash.
There should be a requirement for choosing candidate algorithms, we can
use Tor's requirements (from Equi-X's design notes) as an example:
1. The solution proof must be smaller than about 200 bytes.
2. Solution verification must be fast.
3. GPUs and FPGAs should not provide a large advantage for solving the
puzzle
- https://gitlab.torproject.org/tpo/core/tor/-/blob/main/src/ext/equix/devlog…
Unfortunately, the second requirement may disqualify Argon2 from being
used, due to its symmetry.
Version 0.1.0 of XEP-0505 (Data Forms File Input Element) has been
released.
Abstract:
This specification defines an element which can be used with data
forms to let users upload one or more files.
Changelog:
Accepted as Experimental by Concil vote on 2025-07-08 (XEP Editor: dg)
URL: https://xmpp.org/extensions/xep-0505.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
Version 0.1.0 of XEP-0504 (Data Policy) has been released.
Abstract:
This document specifies metadata on how an entity handles its data
(encryption, data retention, etc).
Changelog:
Accepted as Experimental by Concil vote on 2025-06-08 (XEP Editor: dg)
URL: https://xmpp.org/extensions/xep-0504.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
Version 1.2.0 of XEP-0363 (HTTP File Upload) has been released.
Abstract:
This specification defines a protocol to request permissions from
another entity to upload a file to a specific path on an HTTP server
and at the same time receive a URL from which that file can later be
downloaded again.
Changelog:
* Add optional upload purpose when requesting slots (dg)
URL: https://xmpp.org/extensions/xep-0363.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
Version 1.10.0 of XEP-0080 (User Location) has been released.
Abstract:
This specification defines an XMPP protocol extension for
communicating information about the current geographical or physical
location of an entity.
Changelog:
Added <regioncode/> element. (jp)
URL: https://xmpp.org/extensions/xep-0080.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
Good day.
I was wondering of formatting the XML documents for XEPs to Atom
Syndication Format.
This would allow people to subscribe to selected XEPs and to receive
automatic updates.
The XHTML pages would remain the same, as they are today, once the XSLT
stylesheet be adapted to the new Atom format.
This is a recent realization which I have had, during drafting a new
publishing system in which each page, be made of Atom Syndication
Format, including fixed pages such as "about", "contact", and "help",
with an exception for an OPML page.
gemini://woodpeckersnest.space/~schapps/journal/2025-07-03-rivista-to-be-atom-based-publishing-system.gmi
https://portal.mozz.us/gemini/woodpeckersnest.space/~schapps/journal/2025-0…
Please advise.
Kind regards,
Schimon
The XMPP Extensions Editor has received a proposal for a new XEP.
Title: Data Policy
Abstract:
This document specifies metadata on how an entity handles its data
(encryption, data retention, etc).
URL: https://xmpp.org/extensions/inbox/data_policy.html
The Council will decide in the next two weeks whether to accept this
proposal as an official XEP.
Hi all,
I'm currently implementing SASL2 (et al) into Openfire, which is amusing
since I had the first implementation there years ago.
In doing so, I've a few comments, most of which are directed at past-me of
course. Past-me is an idiot, and I have ample evidence of this.
1) One of the changes from the original SASL profile is that there's no
need for (and mention of) the "equals hack" to indicate no data. Should
this be explicitly called out?
2) The user-agent - this is a SHOULD (well, RECOMMENDED, which means the
same thing). The consequences of not including it are that other
specifications might rely on it - the same as the id, which is also SHOULD.
I dislike the amount of SHOULD here, it feels like the "outer" SHOULD is
sufficient, and a user-agent with no id attribute is a bit useless.
3) The id string given MUST be a UUIDv4. What should the server do if it
receives a non-UUID, or a UUID of a different type to v4? A purist might
reject it, but this seems wrong - what guidance can we put here? If we
accept any old string, and it's not a UUIDv4, what happens?
4) Second para of Initiation talks about an authorization string, but
there's no such string defined. Was this intended to mean the requested
authorization identity in the SASL mechanism? That's an interesting
challenge, especially from just the initial-response which might not be
present. I think I follow the intent here, but the detail seems off.
Dave.