[Standards] Public-key-driven presence subscription

Daniele Ricci daniele.athome at gmail.com
Sun Jul 7 19:47:40 UTC 2013

I'm working to extend XMPP to be suited for my project. My project has
the need to not store rosters on behalf of users. I'm already using
asymmetric encryption and I though that I might be able to "verify" a
presence subscription request by looking at public key signatures. For

* Alice requests presence subscription to Bob
* Bob receives the subscription request along with Alice's public key
* if Bob accepts, he signs Alice's public key using his private key
* Bob will reply to the subscription request including signed Alice's public key
* Alice is now authorized to see Bob's presence - server just need to
check for the right signature on the public key

This has some advantages:
* Server doesn't need to store roster lists for each users. Storing
public keys will be enough
* Using a WoT system (such as OpenPGP), we can encourage people to use it
* This system can be used for handling permissions to send messages
and generally obtain information about a user - server will check the
signatures to see if a user is allowed to see someone else info or
send a message

Please note that my project has no roster list management, but I think
that this method can be applied also to output a roster list generated
on-the-fly by looking at public key signatures.

Is this an insane approach? What do you think?


More information about the Standards mailing list