- Standards

XEP-0277 to include attributes of "atom:feed" element

by Schimon Jehudah

Greetings. XEP-0277 is meant to deliver RFC 4287 (Atom format) over XMPP. However, as with Atom Activity Stream, only elements "atom:entry" are delivered. So, elements "atom:subtitle" and "atom:logo" of element "atom:feed" are neglected. Could we utilize element "pubsub:items" to store that missing data of element "atom:feed"? <items node='urn:xmpp:microblog:0' title='The Journal of Romeo' subtitle='Of the affairs of the Capulet and Montague families.' logo='http://montague.lit/logo.svg'> Regards, Schimon

1 day, 22 hours

2
2
0 0

Atom Over XMPP and element atom:link

by Schimon Jehudah

Greetings. I would want to discuss of Atom Over XMPP; that is XEP-0277 and XEP-0472, and subsequently XEP-0501; and the implementation thereof by several publishing platforms. Some publishing platforms utilize RFC 4287 in an invalid fashion, and I would want to advise of a better practice. I do not discuss this over the documentation repository, because I do not think that it is necessary, as this is an issue which concerns to RFC 4287 itself The Atom Syndication Format. atom:content ------------ Section 4.1.2 to RFC 4287 titled by The "atom:entry" Element has this statement. > o atom:entry elements MUST NOT contain more than one atom:content > element. However, there are at least two publishing platforms that violate that principle, and provide two elements of "atom:content"; One "atom:content" element of type="xhtml" and an additional one of type="text" which is not really Plain Text as intended by RFC 4287, but is Markdown Text. I suppose that, the purpose of the extra element is to store the source code of the actual content, to facilitate human interaction with these platforms. It is important to not that the valid values of attribute "type" of element "atom:content" are "text, "html", and "xhtml". atom:link --------- Nevertheless, the element "atom:link" offers two relevant attributes to that would fit perfectly. Attribute "href" (location) to specify the URI to the document. That could also be over FTP, Gemini, HTTP, XMPP, over a PubSub URI for public or private access; and it is particularly helpful, to both developers and people, to access or download the source of a document, instead of extracting it from an XML element; Attribute "rel" (relation) which has various of uses over Atom, HTML, and XML, including paging with rel="next" and rel="previous" (RFC 5005), could be utilized to classify the content of the linked document as a source of a post (i.e. rel="source"); and Attribute "type" (MIME-Type) to set the file type of the content (i.e. type="text/markdown"). Attributes "hreflang" and "title", of element "atom:link", might also be useful, yet these two attributes are not crucial to this discussion. Importance ---------- There are three crucial reasons for that advisory. * Compliance with RFC 4287, as intended; * Better classification of data, as proposed; and * Most importantly, to not confuse developers who want to explore publishing over XMPP; for example, developers of publishing platforms such as Bonfire, Pleroma who are meticulous when they implement standards. Of note ------- I was confused, and almost discouraged, when I first attempted to create a publishing platform, because I tested against platforms that utilize more than a single element of "atom:content", and which one was classified as "text" even though it was not plain text. Respectfully, Schimon

5 days, 3 hours

1
1
0 0

Handling of Extended Key Usage extension in certificates

by Matthew Wild

Hi folks, This is (part of) a discussion I had intended to discuss at the summit, but we already had enough topics to fill the time (!) so I guess it's fine. This change primarily affects server-to-server connections, and therefore server developers. I published a blog post recently which covers some of the background and sparked some discussion: https://blog.prosody.im/2026-letsencrypt-changes/ Basically, OpenSSL (and almost certainly other libraries) validate the Extended Key Usage extension in certificates and, by default, forbid the usage of certificates without the clientAuth purpose from being valid at the client side of a connection. It's important not to be confused by the "client" and "server" terminology here: in a server-to-server connection, the initiating server is a "client" from the perspective of TCP, TLS and the application code. Most CAs have been including the clientAuth purpose in their certificates, however new requirements from Google are insisting that they stop doing this by June 2026. For a long time (at least a decade), Prosody has been overriding OpenSSL's default behaviour and permitting only certificates with the serverAuth purpose to be used for authenticating server-to-server connections, regardless of the direction of the connection. It is our belief that this is the correct way to do things. At least one implementation (ejabberd/fast_tls which also uses OpenSSL) was found so far to depend on the clientAuth purpose being present in certificates used on the "client" side of a server-to-server connection. The fix was released in ejabberd 25.08 last year (there are still many out-of-date servers on the network though). Due to diversity in the CA ecosystem, it's not necessarily safe to use certificates with only the clientAuth purpose to authenticate servers. Unfortunately this is documented nowhere in XMPP currently, which can lead to broken federation at best, and security issues at worst. I've submitted a PR to update XEP-0178, which seemed like the most natural fit for specifying this: https://github.com/xsf/xeps/pull/1501 Regards, Matthew

1 week

1
0
0 0

Scoping discussion: updating XMPP RFCs / XMPP 2.0

by Guus der Kinderen

Hi all, At the recent Summit, we had a long and nuanced discussion about the state of the XMPP RFCs and whether there is value in updating parts of them, potentially through the IETF, to better reflect how XMPP is actually implemented and used today. To be clear upfront: This is not a proposal to start an IETF working group, nor a commitment to produce new RFCs. The discussion at the Summit surfaced enough open questions that it seems worthwhile to first have a focused scoping and feasibility discussion. Some of the motivations that were raised: - The current RFCs do not describe a baseline that results in interoperable modern implementations - Discoverability for new implementers is difficult (knowing which XEPs are "essential") - The IM landscape has changed significantly since the original RFCs - External review and feedback could be valuable - There may be marketing and positioning benefits, but these are secondary At the same time, many concerns were raised: - The sheer amount of work required, and whether we realistically have the manpower - Risk of scope creep (e.g., baking too much into RFCs) - Loss of flexibility compared to the XEP process - Fear of starting something we cannot finish - Unclear interaction with compliance suites and the "living standard" nature of XMPP - Potential pushback or distraction from other IETF efforts (e.g., MIMI) Questions that seem worth discussing at this stage: - Is it useful to think about updating some RFCs (e.g., core, IM), while leaving the rest to XEPs? - What would be clearly in-scope vs out-of-scope? - Is there enough interest and capacity to justify exploring this further? - What would be a sensible first step that does not overcommit us? If you were at the Summit and felt strongly one way or the other, it would be great to hear your perspective here. If you weren't, fresh viewpoints are equally welcome. The goal of this thread is simply to assess whether this topic is worth pursuing further, and if so, in what very limited and realistic form. Kind regards, Guus

1 week

4
3
0 0

Wimsy: Yet another XMPP client

by Dave Cridland

Hi all, Not sure where else to announce this, so here goes... Last Friday, while in the XMPP Summit, I absently started typing in a chat window. I didn't get any chance to do more until the Eurostar back, but I've been occasionally typing in the same chat window now for a week, so I think I have something to share. https://github.com/dwd/Wimsy It's rough, certainly - but it's not bad for something I've barely touched the code of directly, and that I've only spent a week (of spare time) on. Whimsy is now a basic but functional XMPP client, running on: * Linux desktop - I'm using it there a lot. * Web - it's an installable PWA, too, deployed at https://dwd.github.io/Wimsy/ * Android - I have used the build, sometimes, and it does work, though it's probably not yet optimal. * MacOS - Builds in CI? * Windows - I should really try this one too. * iOS - Probably not very useful - no background, and no push - but hey it builds. It's written - apparently - in Flutter/Dart, which is, erm, a language or something. As is traditional in these announcements, I should note that Wimsy is just a hobby, and won't be big or professional like those other clients. Somewhat more seriously, the roughest parts of the UX are in the onboarding - like telling you to pick a PIN without any explanation of what that's for (encrypted local cache), or the *very* confusing checkbox for direct TLS (really only applies if you specify a host manually). I'll fix these up in time, as well as working toward a full compliance suite level. It's MIT-licensed, though includes a radically changed xmpp_stone library, and the upstream of that (copied in) is under Apache 2. People willing to test it and provide feedback would be enormously welcome, particularly on platforms I've not got to yet. "Bugs" - any suggestions for improvements really - are welcome as PRs putting a markdown file describing the improvement (in detail!) into ./bugs/new/ Less formalized suggestions are also welcome. Aside from the "Dave, why did you vibe-code an XMPP client in a week you mad idiot?" type. Because I'm not really in a position to review the code changes, I'd rather not accept direct patches. Seems odd, I know. Have fun, play nicely, Dave.

1 week, 3 days

1
0
0 0

Proposal: Add <no-notify/> hint to XEP-0334 (Message Processing Hints)

by Laura G.

I'd like to propose adding a new processing hint to XEP-0334 to support silent/whisper messages - messages that are delivered normally but don't trigger notifications on the recipient's device. Use Case: My mother and I communicate via XMPP throughout the day. She frequently participates in screen recordings and video calls (about 1 hour daily) where notification sounds and popups would be disruptive. However, she doesn't want to use DND mode because she needs to remain reachable for genuine emergencies. The solution we need: the ability to send non-urgent messages silently so she can read them when she next checks her client, without interrupting her work. User Demand: This feature is heavily requested across messaging platforms. A quick search shows thousands of users asking "how to send silent messages" or "send without notification" for Facebook Messenger, WhatsApp, Telegram, and other platforms. Telegram already implements this as "send without sound." The demand is clear and widespread. Proposed Addition to XEP-0334: A <no-notify/> processing hint with the following semantics: <message to='recipient(a)example.com' type='chat'> <body>Please look at the following when you have time: ...</body> <no-notify xmlns='urn:xmpp:hints'/> </message> Behavior: - The receiving client SHOULD NOT trigger audio/visual notifications - The message SHOULD still be delivered and stored normally - The message SHOULD appear in the chat history - The message MAY still update unread counts (implementation-dependent) - Clients MAY provide UI indication that a message was sent silently Benefits: - Allows nuanced communication without forcing binary DND states - Respects recipient's focus/workflow while maintaining async communication - Reduces notification fatigue - Provides sender control over message urgency - Simple to implement - clients already have notification suppression logic Backwards Compatibility: Clients that don't recognize <no-notify/> will simply deliver the message normally, which is acceptable fallback behavior. This would be a natural extension to the existing hint types in XEP-0334 (no-store, no-copy, store, no-permanent-store) and addresses a genuine gap in XMPP's messaging capabilities. Thoughts? Is this something the community would support adding to XEP-0334, or would it be better suited as a separate XEP? Best regards, L.G. I'm using an email mask just because I don't want recruiters to get a view of my personal life, please consider the proposal objectively.

1 week, 3 days

5
6
1 0

Proposed XMPP Extension: Link Metadata

by Daniel Gultsch

The XMPP Extensions Editor has received a proposal for a new XEP. Title: Link Metadata Abstract: This specification describes how to attach metadata for links to a message. URL: https://xmpp.org/extensions/inbox/link-metadata.html The Council will decide in the next two weeks whether to accept this proposal as an official XEP.

1 week, 4 days

1
0
0 0

UPDATED: XEP-0143 (Guidelines for Authors of XMPP Extension Protocols)

by Daniel Gultsch

Version 1.1.3 of XEP-0143 (Guidelines for Authors of XMPP Extension Protocols) has been released. Abstract: This document provides information intended to assist authors of XMPP Extension Protocols. Changelog: Reflect preference for GitHub pull requests for initial submission, PRs to contain only one changed XEP. (dwd) URL: https://xmpp.org/extensions/xep-0143.html Note: The information in the XEP list at https://xmpp.org/extensions/ is updated by a separate automated process and may be stale at the time this email is sent. The XEP documents linked herein are up-to- date.

1 week, 4 days

1
0
0 0

UPDATED: XEP-0001 (XMPP Extension Protocols)

by Daniel Gultsch

Version 1.26.0 of XEP-0001 (XMPP Extension Protocols) has been released. Abstract: This document defines the standards process followed by the XMPP Standards Foundation. Changelog: * Surface (and correct) the source control information. * Surface the publication URL (although I assume anyone reading this has figured that one out by now). * Surface the contributor side of things. * Add bit about XEP authors making PRs if they don't exist - this is "new" rather than documenting existing practice. * Add bit about PRs getting XEP author approval (existing practice hithertofore undocumented). * Add bit about Council (etc) adding authors if they drop off (existing practice hithertofore undocumented). * Add note to clarify that Retraction doesn't mean Deletion (existing practice, documented, but has been misunderstood before). (dwd) URL: https://xmpp.org/extensions/xep-0001.html Note: The information in the XEP list at https://xmpp.org/extensions/ is updated by a separate automated process and may be stale at the time this email is sent. The XEP documents linked herein are up-to- date.

1 week, 4 days

1
0
0 0

Presence problem in large MUC rooms.

by Goffi

Hi, Following what I've said yesterday at the summit, I would like to explain more my idea, and get your feedback. So basically the problem with presence in large MUC is that we get 2 things: - initial presence when we join the room - all the presence update when people join and leave, which is quite often with people on mobiles. So my point was that we are seeing MUC by the way it's used today. But we don't have to. We don't have to be actively in the room. What we want when we are in a large room, is to be able to check it when we want, and be notified when we are mentioned. For smaller rooms, we may want to be notified on each new message. The way I see it, we could have 2 ways to join a MUC: active and passive. The active join would be what we do today, we get all the presence, and updates, it's really bandwidth intensive. The passive join, on the other hand, would only say "we are in the room". The MUC service would then notify the client only in case of mention (or for any message in case of "subscribed" room). Benefit: - we don't have presence spam anymore, the client does an active join only when the user want to actually be in the room. So it's only one room at the time. - client doesn't have to actively parse message to look for mention, on mobile it will get a push notification and wake up only when necessary - It should be easy to implement on top on existing MUC implementation - It's backward compatible: non-compatible client will just to "active" join all the time, and get all the presence spam. Probably we can also optimize the initial presence in case of active join, but that's another topic. I think that solves the presence issue. Let me know what you think about it. Best, Goffi

1 week, 4 days

6
12
0 0

2026

2025

2024

2023

Standards