diff --git a/xep-0421.xml b/xep-0421.xml index 846667b8d..b5c5c91c6 100644 --- a/xep-0421.xml +++ b/xep-0421.xml @@ -6,8 +6,8 @@
- Anonymous unique occupant identifiers for MUCs - This specification defines a method that allows clients to identify a MUC participant across reconnects and renames. It thus prevents impersonification of anonymous users. + Occupant identifiers for semi-anonymous MUCs + This specification defines a method that allows clients to identify a MUC participant across reconnects and renames. It thus prevents impersonification of semi-anonymous users. &LEGALNOTICE; 0421 Proposed @@ -24,12 +24,18 @@ occupant-id - - Marvin - Wissfeld - xsf@larma.de - jabber@larma.de - + &larma; + + 0.3.0 + 2025-01-07 + lmw +
    +
  • Adjust wording to use semi-anonymous or pseudonymous instead of anonymous
    • +
  • Explicitly mention issues arising from occupant id matching across rooms
    • +
  • Add example with server secret instead of room secret
    • +
  • Add some pseudocode
    • +
+ 0.2.0 2024-05-28 @@ -71,13 +77,13 @@

This specification defines a method to combat issues arising out of the - anonymity of MUC occupants while at the same time ensuring their privacy - by not leaking their real JID to other occupants. + pseudonymity of MUC occupants while at the same time ensuring their privacy + by not revealing their real JID to other occupants.

- If a MUC implements anonymous unique occupant identifiers, it MUST + If a MUC room implements occupant identifiers, it MUST specify the 'urn:xmpp:occupant-id:0' feature in its service discovery information features as specified in &xep0030;.

@@ -88,7 +94,7 @@ id='info1'> ]]> -

When a user enters a room, they send a presence to claim the nickname in - the MUC. A MUC that supports anonymous unique occupant identifiers - attaches an <occupant-id> element to the presence sent to all - occupants in the room. + the MUC. A MUC that supports occupant identifiers + attaches an <occupant-id> element within the "urn:xmpp:occupant-id:0" + namespace to the presence sent to all occupants in the room.

An occupant sends a message to all other occupants in the room by sending a message of type "groupchat" to the <room@service>. A MUC - supporting anonymous unique occupant identifiers attaches an - <occupant-id> element to the message sent to all occupants in the - room. + supporting occupant identifiers attaches an + <occupant-id> element within the "urn:xmpp:occupant-id:0" to the + message sent to all occupants in the room.

- The occupant identifier MUST be generated such that it is anonymous. This + The occupant identifier MUST be generated such that it is pseudonymous. This means that it MUST be sufficiently hard to determine the real bare JID of an occupant from its occupant identifier. Additionally, a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service. - To guarantee the anonymity property, the server MUST NOT generate an + If the MUC service generates the same occupant identifier for the same + user in different rooms, information shared using different nicknames and + in different rooms could be combined through the occupant identifier and + thereby unintentionally reveal information about the user. + To guarantee the pseudonymity property, the server MUST NOT generate an occupant identifier by only hashing the real bare JID using static, guessable or discoverable parameters.

@@ -207,9 +217,22 @@ One way to ensure these properties is to generate a private secret key for every room and use an HMAC algorithm with a sufficiently secure hash function to generate the occupant identifier from the real bare JID and - that secret key. This procedure ensures all the required properties with + that secret key. + Alternatively, the service can generate a single private secret key for the + whole service and use an HMAC algorithm to generate the occupant identifier + from the real bare JID, the room bare JID and the service secret key. + This procedure ensures all the required properties with minimal server side storage requirements.

+ @@ -227,7 +250,7 @@ Discovering support section.

- The anonymity property of occupant identifiers is crucial to not + The pseudonymity property of occupant identifiers is crucial to not accidentally reveal an occupant's real bare JID to other room occupants. Specifically, a simple hash over the occupant's real bare JID is not sufficient as an occupant identifier, as unsalted hashes can be reversed