[Standards] [XEP-0030] we can't get basic information on a bare JID without presence subscription

Goffi goffi at goffi.org
Fri Jan 7 11:31:23 UTC 2022


Hello and Happy New Year,

in the context of my work on ActivityPub <=> XMPP gateway, I need to know if a PEP service handles RSM.

Normally this is done by doing a disco#info request and looking for ""http://jabber.org/protocol/pubsub#rsm".
The problem is that I need to have presence subscription to do that on a bare JID (due to "https://xmpp.org/extensions/xep-0030.html#security"), even if the node I want to request (in the presence case, it's XEP-0277's microblog node) is open and thus publicly accessible.

It make little sense to need a presence subscription to get basic information on a pubsub node that I want to request, and it's not an option to presence subscribe each time my gateway wants to access a node.

I think that this security measure was made to prevent JID haversting at a time when PEP was thought as a mean to broadcast private data only, but nowaday it's also used as a handy way to find very public data (like public microblog, public encryption keys, etc).
If one wants to check if a JID exists, requesting well-known public node is enough, thus I think this security consideration is outdated and should be removed.

For my present use case, I can work around it by trying RSM resquest and checking result, but this is ugly and needlessly complicating the code. Furthermore, I suspect that this issue is more general and will hit again .

Thus I would like to see if we can get rid of this security restriction in XEP-0030. I know that this XEP is final, but as dwd pointed on xsf@ MUC where we've discussed the problem, this would be a backward compatible change.

I've made a pull request to update XEP-0030 at https://github.com/xsf/xeps/pull/1145[1] . My proposal is to remove entirely those considerations (but to keep ones regarding available resources).

An other option could be to keep the consideration, but allow disco#info when a node is specified, thus one could disco#info with node "urn:xmpp:microblog:0" even without pubsub subscription, that would keep the "service-unavailble" when no node is specified (but I think this measure will become totally useless as open nodes will become more common).

Thanks
Goffi

--------
[1] https://github.com/xsf/xeps/pull/1145
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20220107/3eb16fa9/attachment.html>


More information about the Standards mailing list