[Standards] LAST CALL: XEP-0363 (HTTP File Upload)

Dave Cridland dave at cridland.net
Thu Jan 16 10:57:58 UTC 2020

On Tue, 14 Jan 2020 at 21:41, Jonas Schäfer <jonas at wielicki.name> wrote:

> This message constitutes notice of a Last Call for comments on XEP-0363.
> The
> Last Call was restarted after the Council election, because the previous
> Council did not vote on the ongoing LC.
> Title: HTTP File Upload
> Abstract:
> This specification defines a protocol to request permissions from
> another entity to upload a file to a specific path on an HTTP server
> and at the same time receive a URL from which that file can later be
> downloaded again.
> URL: https://xmpp.org/extensions/xep-0363.html
> This Last Call begins today and shall end at the close of business on
> 2020-01-28.
> Please consider the following questions during this Last Call and send
> your feedback to the standards at xmpp.org discussion list:
> 1. Is this specification needed to fill gaps in the XMPP protocol
> stack or to clarify an existing protocol?
Yes. While there is some overlap between this specification and Jingle FT,
there is no particular reason why these two cannot be used in a useful
combination in the future.

> 2. Does the specification solve the problem stated in the introduction
> and requirements?
I'm not convinced the last bullet point is a requirement, actually, but if
it is it is not met.

I think it would be more useful to move this bullet into the Security

> 3. Do you plan to implement this specification in your code? If not,
> why not?
Not currently; while we move images around we have rather higher
requirements on access control as our images contain sensitive patient
data, and the simplistic approach taken here is insufficient. However,
there are multiple ways to address this and we might revisit.

> 4. Do you have any security concerns related to this specification?
As mentioned above, I don't think "weak security" is a requirement as such,
and the Security Considerations do not actually make it explicit that this
is the model. It would seem more useful to move that bullet into Security
Considerations and rephrase it slightly.

> 5. Is the specification accurate and clearly written?

Yes - and incidentally vastly improved since it's original Last Call.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200116/bb6a501e/attachment.html>

More information about the Standards mailing list