This message constitutes notice of a Last Call for comments on
XEP-0484.
Title: Fast Authentication Streamlining Tokens
Abstract:
This specification defines a token-based method to streamline
authentication in XMPP, allowing fully authenticated stream
establishment within a single round-trip.
URL: https://xmpp.org/extensions/xep-0484.html
This Last Call begins today and shall end at the close of business on
2025-01-27.
Please consider the following questions during this Last Call and send
your feedback to the standards(a)xmpp.org discussion list:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
2. Does the specification solve the problem stated in the introduction
and requirements?
3. Do you plan to implement this specification in your code? If not,
why not?
4. Do you have any security concerns related to this specification?
5. Is the specification accurate and clearly written?
Your feedback is appreciated!
This message constitutes notice of a Last Call for comments on
XEP-0440.
Title: SASL Channel-Binding Type Capability
Abstract:
This specification allows servers to annouce their supported SASL
channel-binding types to clients.
URL: https://xmpp.org/extensions/xep-0440.html
This Last Call begins today and shall end at the close of business on
2024-05-20.
Please consider the following questions during this Last Call and send
your feedback to the standards(a)xmpp.org discussion list:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
2. Does the specification solve the problem stated in the introduction
and requirements?
3. Do you plan to implement this specification in your code? If not,
why not?
4. Do you have any security concerns related to this specification?
5. Is the specification accurate and clearly written?
Your feedback is appreciated!
Hey hey,
Boring incoming:
https://github.com/xsf/xeps/pull/1407
This is draft to avoid the XSF Board accidentally approving it before the
community has had a chance to discuss.
The main change is the paragraph added in Section 6 (Discussion Process),
covering changes to the XEP during Experimental:
The XEP author incorporates the feedback by creating source control patches
> (such as Pull Requests), in line with the preferred method in &xep0143;.
> Direct changes to an Experimental XEP, such as a contributor providing a
> patch (or Pull Request on GitHub), are still the responsibility of the XEP
> author, and are only applied if the XEP author agrees. If a XEP has
> multiple authors, while agreement is sought from all authors, only those
> opinions from responsive authors are considered. If the Approving Body
> feels that the XEP author is not responsive, another author may be added
> unilaterally by the Approving Body.
This is trying to do two things:
1) Document the existing practice that the XMPP Council has followed,
whereby changes to Experimental XEPs need "agreement" (PR approval, or
similar) from the XEP Author.
2) Document the existing practice that the XMPP Council has followed.
whereby if a XEP Author isn't responsive (ie, doesn't respond to emails,
etc) the XMPP Council can add a new XEP Author.
3) Document the *new practice* that if a contribution isn't a PR, it's the
XEP Author who is responsible to turn it into one.
The rest of the changes surface and restate existing process/policy/URLs
and aren't that interesting (well, even less interesting).
There is one additional possible process deviation we should document (or
call the Process Police out, or something). Submission of a XEP, as per
XEP-0143, occurs via email tot he Editor. Is this really still the case? Or
are these now by PR? That'll need changing in XEP-0143, which I'm happy to
do if that's the case. It'd be nice to have a non-PR variant of the process
(post here?)
Dave.
Good evening.
I am working on a Python script which generates an Atom Syndication
Format XML feed from XMPP DOAP files. I will further add to it an XSLT
stylesheet to transform it to XHTML.
I have attached that script, for those who are inqusitive about it.
Problems
--------
However, I did notice, that some DOAP files are not updated, and some
are missing information.
Proposal
--------
I would suggest to add attributes for types of links (i.e. Gemini,
HTTP, PubSub, etc.), because in near future, resources such as
homepage, bug-database, developer-forum, developer-support, etc. will
be hosted on PubSub services over XMPP, instead of HTTP.
Question
--------
Is there an automated DOAP generator software or service?
Conclusion
----------
If there is no automated service yet, then I would create an XHTML
software with forms that would do so. Afterwards, I would also create
an XMPP service with Data Forms for that purpose.
Please advise.
Kindly,
Schimon
XEP-0158 has not been updated (in a major way) since late 2008, and ever
since then, all of the challenge types can be easily broken with a
neural network or ASICs/FPGAs/GPUs (for Hashcash). This makes
out-of-band CAPTCHA sites the only feasible method of fending off bots.
But requiring a user to visit a site to send a message or join a MUC
doesn't make it as seamless for them, Therefore the XEP should be
revamped in a way to still provide a seamless experience while also
providing security against modern attackers.
These are my suggestions in regards to this:
1) Deprecate OCR and recongition-based challenges and switch to more
interactive challenges (such as: pointing to parts of a picture that
matches a specified condition)
2) Add more Proof-of-Work algorithms and possibly deprecate Hashcash.
There should be a requirement for choosing candidate algorithms, we can
use Tor's requirements (from Equi-X's design notes) as an example:
1. The solution proof must be smaller than about 200 bytes.
2. Solution verification must be fast.
3. GPUs and FPGAs should not provide a large advantage for solving the
puzzle
- https://gitlab.torproject.org/tpo/core/tor/-/blob/main/src/ext/equix/devlog…
Unfortunately, the second requirement may disqualify Argon2 from being
used, due to its symmetry.
Version 0.1.0 of XEP-0505 (Data Forms File Input Element) has been
released.
Abstract:
This specification defines an element which can be used with data
forms to let users upload one or more files.
Changelog:
Accepted as Experimental by Concil vote on 2025-07-08 (XEP Editor: dg)
URL: https://xmpp.org/extensions/xep-0505.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
Version 0.1.0 of XEP-0504 (Data Policy) has been released.
Abstract:
This document specifies metadata on how an entity handles its data
(encryption, data retention, etc).
Changelog:
Accepted as Experimental by Concil vote on 2025-06-08 (XEP Editor: dg)
URL: https://xmpp.org/extensions/xep-0504.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
Version 1.2.0 of XEP-0363 (HTTP File Upload) has been released.
Abstract:
This specification defines a protocol to request permissions from
another entity to upload a file to a specific path on an HTTP server
and at the same time receive a URL from which that file can later be
downloaded again.
Changelog:
* Add optional upload purpose when requesting slots (dg)
URL: https://xmpp.org/extensions/xep-0363.html
Note: The information in the XEP list at https://xmpp.org/extensions/
is updated by a separate automated process and may be stale at the
time this email is sent. The XEP documents linked herein are up-to-
date.
