[Standards] Clarification on iq routing in semi-anonymous MUCs

Marvin W xmpp at larma.de
Sat Sep 28 21:06:05 UTC 2019


Hi there,

In XEP-0045 it says that (§17.4#3):

> If an occupant wants to send an IQ stanza to another user in a semi-anonymous room, the sender can direct the stanza to the recipient's occupant JID and the service SHOULD forward the stanza to the recipient's real JID. However, the MUC service MUST NOT reveal the sender's real JID to the recipient at any time, nor reveal the recipient's real JID to the sender.

While the XEP is very specific, that <message>s are to be routed to the
full JID of each occupant, it does not specify, if <iq>s are to be
routed to the users full or bare JID.

Currently server implementations seem to have diverting behavior in this
regard: ejabberd and Prosody<0.11 route IQs to the full JID (any of them
if there are multiple) except if the IQ contains a vCard query, which is
send to the bare JID. Prosody 0.11+ routes PubSub IQs to the bare JID.
ejabberd allows to disable IQ forwarding on a per room basis
(allow_query_users config).

Also I wonder regarding the statement that the service must not reveal
the recipient's real JID to the sender: vCards do have a JABBERID field
that might be set to the users real JID. Doing so will normally only
reveal the JABBERID to users that already have it, as this is a
requirement to fetch the vCard outside of MUCs. If MUCs forward IQ
requests for the vCard, they reveal the vCard's JABBERID, that they only
could retrieve because they knew the real JID, and thus they do reveal
the recipient's real JID to the sender.

As the recipient server does not know if the vCard request comes from a
MUC, it assumes it's a normal user and thus cannot apply any privacy
filtering.

Other information (beside JABBERID) that can be retrieved using vCard or
PubSub may contain privacy sensitive information (including the Avatar,
which I believe to be one of the main reasons servers have the described
behavior).


During ongoing XMPP sprint we found that it probably would be best if we
do not route IQs in semi-anonymous MUCs (even pings have the issue of
revealing a RTT which can be used to estimate the location of the other
occupant or their server). However this is contrary to both, current
implementations and the specification in XEP-0045.


What is supposed to be the correct behavior? Can we clarify in
XEP-0045§17.4 how to correctly route IQs in a MUC?  Should we expect MUC
servers to modify the vCard to ensure they don't reveal the real JID?

Thanks for any feedback,
Marvin


More information about the Standards mailing list