[Standards] LAST CALL: XEP-0280 (Message Carbons)
georg at op-co.de
Mon Feb 13 13:59:44 UTC 2017
* XMPP Extensions Editor <editor at xmpp.org> [2017-02-09 00:07]:
> 1. Is this specification needed to fill gaps in the XMPP protocol stack or to clarify an existing protocol?
> 2. Does the specification solve the problem stated in the introduction and requirements?
yes, to approximately 90%. The last bullet point in §2 still has
undefined corner cases for MUC-PMs which I'd like to address (as
described later in this mail):
| All clients that turn on the new protocol MUST be able to see all
| outbound instant messaging messages from all of the resources of the
| user, regardless of whether the clients for the other resources have
| implemented the new protocol.
> 3. Do you plan to implement this specification in your code? If not, why not?
yes, already implemented.
> 4. Do you have any security concerns related to this specification?
yes. While the spec clearly addresses security in §11, CVE-2017-5589+
has shown that a dozen of developers independently introduced the same
security vulnerability when implementing the XEP. Because of this, I
suggest to add stronger and more clear wording regarding the security
implications into §7 (or a dedicated "client processing" section) as
There is a pending PR at https://github.com/xsf/xeps/pull/413 that
should improve wording already, and I'd like to add some more warning
words once it is merged.
> 5. Is the specification accurate and clearly written?
The spec is good, and some of the issues I have with it are going to be
resolved with #413. However, I'd like to properly specify the MUC and
MUC-PM interactions with Carbons, as I suggested two weeks ago in
Specifically, I'd like to make explicit rules for how clients and
servers should tag and interpret MUC-related messages. Please discuss
the details and interop with 0045 in that thread.
|| http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++
|| gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ ||
|| Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? ||
++ IRCnet OFTC OPN ||_________________________________________________||
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 811 bytes
Desc: Digital signature
More information about the Standards