One document matched: draft-saintandre-rfc3920bis-01.txt
Differences from draft-saintandre-rfc3920bis-00.txt
XMPP Working Group P. Saint-Andre, Ed.
Internet-Draft XSF
Expires: July 30, 2007 January 26, 2007
Extensible Messaging and Presence Protocol (XMPP): Core
draft-saintandre-rfc3920bis-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 30, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This memo defines the core features of the Extensible Messaging and
Presence Protocol (XMPP), a technology for streaming Extensible
Markup Language (XML) elements in order to exchange structured
information in close to real time between any two network-aware
entities. XMPP provides a generalized, extensible framework for
incrementally exchanging XML data, upon which a variety of
applications can be built. The framework includes methods for stream
setup and teardown, channel encryption, authentication of a client to
a server and of one server to another server, and primitives for
Saint-Andre Expires July 30, 2007 [Page 1]
Internet-Draft XMPP Core January 2007
push-style messages, publication of presence and availability
information, and request-response interactions between any two XMPP
entities. This document also specifies the format for XMPP
addresses, which are fully internationalizable.
This document obsoletes RFC 3920.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Functional Summary . . . . . . . . . . . . . . . . . . . 5
1.3. Conventions . . . . . . . . . . . . . . . . . . . . . . 6
2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Server . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3. Client . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Network . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. Domain Identifier . . . . . . . . . . . . . . . . . . . 9
3.3. Node Identifier . . . . . . . . . . . . . . . . . . . . 9
3.4. Resource Identifier . . . . . . . . . . . . . . . . . . 10
3.5. Determination of Addresses . . . . . . . . . . . . . . . 10
4. TCP Binding . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. XML Streams . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2. Stream Security . . . . . . . . . . . . . . . . . . . . 14
5.3. Stream Attributes . . . . . . . . . . . . . . . . . . . 14
5.4. Namespace Declarations . . . . . . . . . . . . . . . . . 17
5.5. Stream Features . . . . . . . . . . . . . . . . . . . . 18
5.6. Closing Streams . . . . . . . . . . . . . . . . . . . . 18
5.7. Reconnection . . . . . . . . . . . . . . . . . . . . . . 19
5.8. Stream Errors . . . . . . . . . . . . . . . . . . . . . 19
5.9. Simplified Stream Examples . . . . . . . . . . . . . . . 23
6. TLS Negotiation . . . . . . . . . . . . . . . . . . . . . . . 24
6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2. Narrative . . . . . . . . . . . . . . . . . . . . . . . 27
7. SASL Negotiation . . . . . . . . . . . . . . . . . . . . . . 28
7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 28
7.2. Narrative . . . . . . . . . . . . . . . . . . . . . . . 30
7.3. SASL Definition . . . . . . . . . . . . . . . . . . . . 32
7.4. SASL Errors . . . . . . . . . . . . . . . . . . . . . . 33
8. Resource Binding . . . . . . . . . . . . . . . . . . . . . . 33
8.1. Binding Multiple Resources . . . . . . . . . . . . . . . 37
9. XML Stanzas . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.1. Common Attributes . . . . . . . . . . . . . . . . . . . 39
Saint-Andre Expires July 30, 2007 [Page 2]
Internet-Draft XMPP Core January 2007
9.2. Basic Semantics . . . . . . . . . . . . . . . . . . . . 41
9.3. Stanza Errors . . . . . . . . . . . . . . . . . . . . . 43
9.4. Extended Namespaces . . . . . . . . . . . . . . . . . . 47
10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 48
10.1. Client-to-Server . . . . . . . . . . . . . . . . . . . . 48
10.2. Server-to-Server Examples . . . . . . . . . . . . . . . 54
11. Server Rules for Handling XML Stanzas . . . . . . . . . . . . 57
11.1. No 'to' Address . . . . . . . . . . . . . . . . . . . . 58
11.2. Foreign Domain . . . . . . . . . . . . . . . . . . . . . 58
11.3. Subdomain . . . . . . . . . . . . . . . . . . . . . . . 59
11.4. Mere Domain or Specific Resource . . . . . . . . . . . . 59
11.5. Node in Same Domain . . . . . . . . . . . . . . . . . . 59
12. XML Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 60
12.1. Restrictions . . . . . . . . . . . . . . . . . . . . . . 60
12.2. XML Namespace Names and Prefixes . . . . . . . . . . . . 60
12.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 62
12.4. Inclusion of Text Declaration . . . . . . . . . . . . . 62
12.5. Character Encoding . . . . . . . . . . . . . . . . . . . 62
12.6. White Space . . . . . . . . . . . . . . . . . . . . . . 62
13. Compliance Requirements . . . . . . . . . . . . . . . . . . . 62
13.1. Servers . . . . . . . . . . . . . . . . . . . . . . . . 63
13.2. Clients . . . . . . . . . . . . . . . . . . . . . . . . 63
14. Internationalization Considerations . . . . . . . . . . . . . 64
15. Security Considerations . . . . . . . . . . . . . . . . . . . 64
15.1. High Security . . . . . . . . . . . . . . . . . . . . . 64
15.2. Certificate Validation . . . . . . . . . . . . . . . . . 64
15.3. Client-to-Server Communications . . . . . . . . . . . . 65
15.4. Server-to-Server Communications . . . . . . . . . . . . 66
15.5. Order of Layers . . . . . . . . . . . . . . . . . . . . 66
15.6. Lack of SASL Channel Binding to TLS . . . . . . . . . . 67
15.7. Mandatory-to-Implement Technologies . . . . . . . . . . 67
15.8. Firewalls . . . . . . . . . . . . . . . . . . . . . . . 67
15.9. Use of base64 in SASL . . . . . . . . . . . . . . . . . 68
15.10. Stringprep Profiles . . . . . . . . . . . . . . . . . . 68
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 69
16.1. XML Namespace Name for TLS Data . . . . . . . . . . . . 69
16.2. XML Namespace Name for SASL Data . . . . . . . . . . . . 69
16.3. XML Namespace Name for Stream Errors . . . . . . . . . . 69
16.4. XML Namespace Name for Resource Binding . . . . . . . . 70
16.5. XML Namespace Name for Stanza Errors . . . . . . . . . . 70
16.6. Nodeprep Profile of Stringprep . . . . . . . . . . . . . 70
16.7. Resourceprep Profile of Stringprep . . . . . . . . . . . 71
16.8. GSSAPI Service Name . . . . . . . . . . . . . . . . . . 71
16.9. Port Numbers . . . . . . . . . . . . . . . . . . . . . . 71
17. References . . . . . . . . . . . . . . . . . . . . . . . . . 71
17.1. Normative References . . . . . . . . . . . . . . . . . . 71
17.2. Informative References . . . . . . . . . . . . . . . . . 73
Appendix A. Nodeprep . . . . . . . . . . . . . . . . . . . . . . 76
Saint-Andre Expires July 30, 2007 [Page 3]
Internet-Draft XMPP Core January 2007
A.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 76
A.2. Character Repertoire . . . . . . . . . . . . . . . . . . 76
A.3. Mapping . . . . . . . . . . . . . . . . . . . . . . . . 76
A.4. Normalization . . . . . . . . . . . . . . . . . . . . . 77
A.5. Prohibited Output . . . . . . . . . . . . . . . . . . . 77
A.6. Bidirectional Characters . . . . . . . . . . . . . . . . 77
Appendix B. Resourceprep . . . . . . . . . . . . . . . . . . . . 77
B.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 77
B.2. Character Repertoire . . . . . . . . . . . . . . . . . . 78
B.3. Mapping . . . . . . . . . . . . . . . . . . . . . . . . 78
B.4. Normalization . . . . . . . . . . . . . . . . . . . . . 78
B.5. Prohibited Output . . . . . . . . . . . . . . . . . . . 78
B.6. Bidirectional Characters . . . . . . . . . . . . . . . . 79
Appendix C. Server Dialback . . . . . . . . . . . . . . . . . . 79
C.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 79
C.2. Order of Events . . . . . . . . . . . . . . . . . . . . 80
C.3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 81
C.4. Reuse of Negotiated Connections . . . . . . . . . . . . 87
C.5. Dialback Key Generation . . . . . . . . . . . . . . . . 88
C.6. Advertisement . . . . . . . . . . . . . . . . . . . . . 89
Appendix D. XML Schemas . . . . . . . . . . . . . . . . . . . . 91
D.1. Streams namespace . . . . . . . . . . . . . . . . . . . 91
D.2. Stream error namespace . . . . . . . . . . . . . . . . . 92
D.3. TLS namespace . . . . . . . . . . . . . . . . . . . . . 94
D.4. SASL namespace . . . . . . . . . . . . . . . . . . . . . 94
D.5. Resource binding namespace . . . . . . . . . . . . . . . 96
D.6. Dialback namespace . . . . . . . . . . . . . . . . . . . 98
D.7. Server dialback stream feature namespace . . . . . . . . 100
D.8. Stanza error namespace . . . . . . . . . . . . . . . . . 100
Appendix E. Contact Addresses . . . . . . . . . . . . . . . . . 102
Appendix F. Differences From RFC 3920 . . . . . . . . . . . . . 102
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 103
Intellectual Property and Copyright Statements . . . . . . . . . 104
Saint-Andre Expires July 30, 2007 [Page 4]
Internet-Draft XMPP Core January 2007
1. Introduction
1.1. Overview
The Extensible Messaging and Presence Protocol (XMPP) is an
Extensible Markup Language XML [XML] technology for near-real-time
messaging, presence, and request-response services. The basic syntax
and semantics were developed originally within the Jabber open-source
community, mainly in 1999. In 2002, the XMPP WG was chartered with
developing an adaptation of the core Jabber protocol that would be
suitable as an IETF instant messaging (IM) and presence technology.
As a result of work by the XMPP WG as well as implementation
experience and interoperability testing completed since the
publication of RFC 3920, this document defines the core features of
XMPP 1.0; the extensions required to provide the instant messaging
and presence functionality defined in [IMP-REQS] are specified in
[XMPP-IM].
This document obsoletes RFC 3920.
1.2. Functional Summary
The purpose of XMPP is to enable the exchange of relatively small
pieces of structured data (called "XML stanzas") over a network
between any two (or more) entities. XMPP is implemented using a
client-server architecture, wherein a client must connect to a server
in order to gain access to the network and thus be allowed to
exchange XML stanzas with other entities. The process whereby a
client connects to a server, exchanges XML stanzas, and ends the
connection is as follows:
1. Determine the hostname and port at which to connect
2. Open a TCP connection
3. Open an XML stream
4. Complete TLS negotiation for channel encryption (RECOMMENDED)
5. Complete SASL negotiation for authentication
6. Bind a resource to the stream
7. Exchange XML stanzas with other entities on the network
8. Close the stream when further communications are not needed or
desired
9. Close the TCP connection.
In the sections following discussion of XMPP architecture and XMPP
addresses, this document specifies how clients connect to servers and
specifies the basic semantics of XML stanzas, but does not define the
"payloads" of the XML stanzas that might be exchanged once a
connection is successfully established; instead, definition of such
semantics is provided by various XMPP extensions (e.g., [XMPP-IM] for
Saint-Andre Expires July 30, 2007 [Page 5]
Internet-Draft XMPP Core January 2007
basic instant messaging and presence applications).
Within the client-server architecture used by XMPP, one server may
optionally connect to another server to enable inter-domain or inter-
server communication. For this to happen, the two servers must
negotiate a connection between themselves and then exchange XML
stanzas; the process for doing so is as follows:
1. Determine the hostname and port at which to connect
2. Open a TCP connection
3. Open an XML stream
4. Complete TLS negotiation for channel encryption (RECOMMENDED)
5. Complete SASL negotiation for authentication
6. Exchange XML stanzas both directly for the servers and indirectly
on behalf of entities associated with each server (e.g.,
connected clients)
7. Close the stream when further communications are not needed or
desired
8. Close the TCP connection.
Note: Depending on local policies, a service may wish to use server
dialback to provide weak verification in cases where SASL negotiation
would not result in strong authentication (e.g., because the
certificate presented by the peer service during TLS negotiation is
self-signed and thus provides only weak identity); for details, see
Appendix C.
1.3. Conventions
The following keywords are to be interpreted as described in [TERMS]:
"MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD",
"RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".
In examples, lines have been wrapped for improved readability.
2. Architecture
2.1. Overview
XMPP assumes a client-server architecture, wherein a client utilizing
XMPP accesses a server (normally over a [TCP] connection) and servers
can also communicate with each other over TCP connections.
Architectures that use the syntax of XML stanzas (Section 9) but that
establish peer-to-peer connections directly between clients using
technologies based on [LINKLOCAL] have been deployed, but such
architectures are not XMPP and are best described as "XMPP-like"; for
details, see [XEP-0174].
Saint-Andre Expires July 30, 2007 [Page 6]
Internet-Draft XMPP Core January 2007
An architectural diagram for a typical deployment is shown here,
where the entities have the following significance:
o romeo@example.net -- an XMPP user.
o example.net -- an XMPP server.
o juliet@example.com -- an XMPP user.
o example.com -- an XMPP server.
example.net----------------------example.com
| |
| |
romeo@example.net juliet@example.com
2.2. Server
A server acts as an intelligent abstraction layer for XMPP
communications. Its primary responsibilities are:
o to manage connections from other entities, in the form of XML
streams (Section 5) to and from authorized clients, servers, and
other entities
o to route appropriately-addressed XML stanzas (Section 9) among
such entities over XML streams
Most XMPP-compliant servers also assume responsibility for the
storage of data that is used by clients (e.g., contact lists for
users of XMPP-based instant messaging and presence applications); in
this case, the XML data is processed directly by the server itself on
behalf of the client and is not routed to another entity.
2.3. Client
Most clients connect directly to a server over a [TCP] connection and
use XMPP to take full advantage of the functionality provided by a
server and any associated services. Multiple resources (e.g.,
devices or locations) MAY connect simultaneously to a server on
behalf of each authorized client, with each resource differentiated
by the resource identifier of an XMPP address (e.g.,
<node@domain/home> vs. <node@domain/work>) as defined under Addresses
(Section 3) and Resource Binding (Section 8). The RECOMMENDED port
for connections between a client and a server is 5222, as registered
with the IANA (see Port Numbers (Section 16.9)).
2.4. Network
Because each server is identified by a network address and because
server-to-server communications are a straightforward extension of
Saint-Andre Expires July 30, 2007 [Page 7]
Internet-Draft XMPP Core January 2007
the client-to-server protocol, in practice, the system consists of a
network of servers that inter-communicate. Thus, for example,
<juliet@example.com> is able to exchange messages, presence, and
other information with <romeo@example.net>. This pattern is familiar
from messaging protocols (such as [SMTP]) that make use of network
addressing standards. Communications between any two servers are
OPTIONAL. If enabled, such communications SHOULD occur over XML
streams that are bound to [TCP] connections. The RECOMMENDED port
for connections between servers is 5269, as registered with the IANA
(see Port Numbers (Section 16.9)).
3. Addresses
3.1. Overview
An entity is anything that can be considered a network endpoint
(i.e., an ID on the network) and that can communicate using XMPP.
All such entities are uniquely addressable on the network. For
historical reasons, the address of an XMPP entity is called a Jabber
Identifier or JID. A valid JID contains a set of ordered elements
formed of a domain identifier, node identifier, and resource
identifier.
The syntax for a JID is defined as follows using the Augmented
Backus-Naur Form as defined in [ABNF].
jid = [ node "@" ] domain [ "/" resource ]
node = 1*(nodepoint)
; a "nodepoint" is a UTF-8 encoded Unicode code
; point that satisfies the Nodeprep profile of
; stringprep
domain = fqdn / address-literal / idnlabel
fqdn = (idnlabel 1*("." idnlabel))
; an "idnlabel" is an internationalized domain
; label as described in RFC 3490
address-literal = IPv4address / IPv6address
; the "IPv4address" and "IPv6address" rules are
; defined in Appendix B of RFC 3513
resource = 1*(resourcepoint)
; a "resourcepoint" is a UTF-8 encoded Unicode
; code point that satisfies the Resourceprep
; profile of stringprep
All JIDs are based on the foregoing structure. One common use of
this structure is to identify a messaging and presence account, the
server that hosts the account, and a connected resource (e.g., a
specific device) in the form of <node@domain/resource>. However,
Saint-Andre Expires July 30, 2007 [Page 8]
Internet-Draft XMPP Core January 2007
node types other than clients are possible; for example, a specific
chat room offered by a multi-user chat service (see [XEP-0045]) could
be addressed as <room@service> (where "room" is the name of the chat
room and "service" is the hostname of the multi-user chat service)
and a specific occupant of such a room could be addressed as
<room@service/nick> (where "nick" is the occupant's room nickname).
Many other JID types are possible (e.g., <domain/resource> could be a
server-side script or service).
Each allowable portion of a JID (node identifier, domain identifier,
and resource identifier) MUST NOT be more than 1023 bytes in length,
resulting in a maximum total size (including the '@' and '/'
separators) of 3071 bytes.
Note: While the format of a JID is consistent with [URI], an entity's
address on an XMPP network MUST be a JID (without a URI scheme) and
not a [URI] or [IRI] as specified in [XMPP-URI]; the latter
specification is provided only for use by non-XMPP applications.
3.2. Domain Identifier
The DOMAIN IDENTIFIER is the primary identifier and is the only
REQUIRED element of a JID (a mere domain identifier is a valid JID).
It usually represents the network or "home" server to which other
entities connect for XML routing and data management capabilities.
However, the entity referenced by a domain identifier is not always a
server, and may be a service that is addressed as a subdomain of a
server that provides functionality above and beyond the capabilities
of a server (e.g., a multi-user chat service or a user directory).
The domain identifier for every server or service that will
communicate over a network MAY be an IP address but SHOULD be a fully
qualified domain name (see [DNS]). A domain identifier MUST be an
"internationalized domain name" as defined in [IDNA], to which the
[NAMEPREP] profile of [STRINGPREP] can be applied without failing.
Before comparing two domain identifiers, a server MUST (and a client
SHOULD) first apply the Nameprep profile to the labels (as defined in
[IDNA]) that make up each identifier. Note: When applying the
Nameprep profile, the UseSTD3ASCIIRules flag MUST be set to true.
3.3. Node Identifier
The NODE IDENTIFIER is an optional secondary identifier placed before
the domain identifier and separated from the latter by the '@'
character. It usually represents the entity requesting and using
network access provided by a server (i.e., a client), although it can
also represent other kinds of entities (e.g., a chat room associated
with a multi-user chat service). The entity represented by a node
Saint-Andre Expires July 30, 2007 [Page 9]
Internet-Draft XMPP Core January 2007
identifier is addressed within the context of a specific domain;
within instant messaging and presence applications of XMPP, this
address is called a "bare JID" and is of the form <node@domain>.
A node identifier MUST be formatted such that the Nodeprep profile of
[STRINGPREP] can be applied without failing (see Appendix A). Before
comparing two node identifiers, a server MUST (and a client SHOULD)
first apply the Nodeprep profile to each identifier.
3.4. Resource Identifier
The RESOURCE IDENTIFIER is an optional tertiary identifier placed
after the domain identifier and separated from the latter by the '/'
character. A resource identifier may modify either a <node@domain>
address or a mere <domain> address. It usually represents a specific
connection (e.g., a device or location) or object (e.g., a
participant in a multi-user chat room) belonging to the entity
associated with a node identifier. A resource identifier is opaque
to both servers and other clients, and is typically defined by a
client implementation when it provides the information necessary to
complete Resource Binding (Section 8) (although it may be generated
by a server on behalf of a client), after which the entity is
referred to as a "connected resource" and its address is referrred to
as a "full JID" (<node@domain/resource>). An entity MAY maintain
multiple connected resources simultaneously, with each connected
resource differentiated by a distinct resource identifier.
A resource identifier MUST be formatted such that the Resourceprep
profile of [STRINGPREP] can be applied without failing (see
Appendix B). Before comparing two resource identifiers, a server
MUST (and a client SHOULD) first apply the Resourceprep profile to
each identifier.
3.5. Determination of Addresses
After SASL negotiation (Section 7) and, if appropriate, Resource
Binding (Section 8), the receiving entity for a stream MUST determine
the initiating entity's JID.
For server-to-server communications, the initiating entity's JID
SHOULD be the authorization identity, derived from the authentication
identity, as defined by [SASL], if no authorization identity was
specified during SASL negotiation (Section 7).
For client-to-server communications, the "bare JID" (<node@domain>)
SHOULD be the authorization identity, derived from the authentication
identity, as defined in [SASL], if no authorization identity was
specified during SASL negotiation (Section 7); the resource
Saint-Andre Expires July 30, 2007 [Page 10]
Internet-Draft XMPP Core January 2007
identifier portion of the "full JID" (<node@domain/resource>) SHOULD
be the resource identifier negotiated by the client and server during
Resource Binding (Section 8).
The receiving entity MUST ensure that the resulting JID (including
node identifier, domain identifier, resource identifier, and
separator characters) conforms to the rules and formats defined
earlier in this section; to meet this restriction, the receiving
entity may need to replace the JID sent by the initiating entity with
the canonicalized JID as determined by the receiving entity.
4. TCP Binding
Although there is no necessary coupling of an XML stream to a [TCP]
connection (e.g., two entities could connect to each other via
another transport, e.g. [HTTP] as specified in [XEP-0124]), this
specification defines a binding of XMPP to TCP only.
Therefore, as XMPP is defined herein, an initiating entity (client or
server) MUST open a TCP connection at the receiving entity (server)
before it negotiates XML streams with the receiving entity. However,
prior to opening the TCP connection the initiating entity first MUST
resolve the Domain Name System (DNS) hostname associated with the
receiving entity and determine the appropriate TCP port for
communications with the receiving entity. The process is as follows:
1. Attempt to resolve the hostname using a [DNS-SRV] Service of
"xmpp-client" (for client-to-server connections) or "xmpp-server"
(for server-to-server connections) and Proto of "tcp", resulting
in resource records such as "_xmpp-client._tcp.example.com." or
"_xmpp-server._tcp.example.com."; the IP address and port at
which the initiating entity attempts to connect to the receiving
entity shall be those specified in the SRV lookup result.
2. If the SRV lookup fails, the fallback SHOULD be a normal IPv4 or
[IPv6] address record resolution to determine the IP address,
where the port used is the "xmpp-client" port of 5222 for client-
to-server connectionsn or the "xmpp-server" port 5269 for client-
to-server connections.
3. However, the fallback MAY be a DNS TXT lookup (see [DNS-TXT]) for
alternative connection methods, for example as described in
[XEP-0156].
TCP connections are handled differently in client-to-server
communications and server-to-server communications. Specifically:
Saint-Andre Expires July 30, 2007 [Page 11]
Internet-Draft XMPP Core January 2007
o Because a client is subordinate to a server and therefore a client
authenticates to the server but the server does not authenticate
to the client, it is necessary to have only one TCP connection
between client and server. Thus the server MUST allow the client
to share a single TCP connection for XML stanzas sent from client
to server and from server to client (i.e., the inital stream and
response stream as specified under XML Streams (Section 5)).
o Because two servers are peers and therefore each peers must
authenticate with the other, the servers MUST use two TCP
connections: one for XML stanzas sent from the first server to the
second server and another (initiated by the second server) for
stanzas from the second server to the first server.
5. XML Streams
5.1. Overview
Two fundamental concepts make possible the rapid, asynchronous
exchange of relatively small payloads of structured information
between presence-aware entities: XML streams and XML stanzas. These
terms are defined as follows:
Definition of XML Stream: An XML STREAM is a container for the
exchange of XML elements between any two entities over a network.
The start of an XML stream is denoted unambiguously by an opening
XML <stream> tag (with appropriate attributes and namespace
declarations), while the end of the XML stream is denoted
unambiguously by a closing XML </stream> tag. During the life of
the stream, the entity that initiated it can send an unbounded
number of XML elements over the stream, either elements used to
negotiate the stream (e.g., to complete TLS negotiation
(Section 6) or SASL negotiation (Section 7)) or XML stanzas. The
"initial stream" is negotiated from the initiating entity (usually
a client or server) to the receiving entity (usually a server),
and can be seen as corresponding to the initiating entity's
"connection" with the receiving entity. The initial stream
enables unidirectional communication from the initiating entity to
the receiving entity; in order to enable information exchange from
the receiving entity to the initiating entity, the receiving
entity MUST negotiate a stream in the opposite direction (the
"response stream").
Definition of XML Stanza: An XML STANZA is a discrete semantic unit
of structured information that is sent from one entity to another
over an XML stream, and is the basic unit of meaning in XMPP. An
XML stanza exists at the direct child level of the root <stream/>
element and is said to be well-balanced if it matches the
production [43] content of [XML]. The start of any XML stanza is
Saint-Andre Expires July 30, 2007 [Page 12]
Internet-Draft XMPP Core January 2007
denoted unambiguously by the element start tag at depth=1 of the
XML stream (e.g., <presence>), and the end of any XML stanza is
denoted unambiguously by the corresponding close tag at depth=1
(e.g., </presence>); a server MUST NOT process, deliver, or route
a partial stanza and MUST NOT attach meaning to the transmission
timing of any part of a stanza (before receipt of the close tag).
The only XML stanzas defined herein are the <message/>,
<presence/>, and <iq/> elements qualified by the default namespace
for the stream, as described under XML Stanzas (Section 9); an XML
element sent for the purpose of TLS negotiation (Section 6), SASL
negotiation (Section 7), or server dialback (Appendix C) is not
considered to be an XML stanza. An XML stanza MAY contain child
elements (with accompanying attributes, elements, and XML
character data) as necessary in order to convey the desired
information, which MAY be qualified by any XML namespace (see
[XML-NAMES]).
Consider the example of a client's connection to a server. In order
to connect to a server, a client MUST initiate an XML stream by
sending an opening <stream> tag to the server, optionally preceded by
a text declaration specifying the XML version and the character
encoding supported (see Inclusion of Text Declaration (Section 12.4)
and Character Encoding (Section 12.5)). Subject to local policies
and service provisioning, the server SHOULD then reply with a second
XML stream back to the client, again optionally preceded by a text
declaration. Once the client has completed SASL negotiation
(Section 7), the client MAY send an unbounded number of XML stanzas
over the stream to any recipient on the network. When the client
desires to close the stream, it simply sends a closing </stream> tag
to the server; for details, see Section 5.6.
Those who are accustomed to thinking of XML in a document-centric
manner may wish to view a client's connection to a server as
consisting of two open-ended XML documents: one from the client to
the server and one from the server to the client. From this
perspective, the root <stream/> element can be considered the
document entity for each "document", and the two "documents" are
built up through the accumulation of XML stanzas sent over the two
XML streams. However, this perspective is a convenience only; XMPP
does not deal in documents but in XML streams and XML stanzas.
In essence, then, an XML stream acts as an envelope for all the XML
stanzas sent during a connection. We can represent this in a
simplistic fashion as follows:
Saint-Andre Expires July 30, 2007 [Page 13]
Internet-Draft XMPP Core January 2007
|--------------------|
| <stream> |
|--------------------|
| <presence> |
| <show/> |
| </presence> |
|--------------------|
| <message to='foo'> |
| <body/> |
| </message> |
|--------------------|
| <iq to='bar'> |
| <query/> |
| </iq> |
|--------------------|
| ... |
|--------------------|
| </stream> |
|--------------------|
5.2. Stream Security
When negotiating XML streams in XMPP 1.0, TLS SHOULD be used as
defined under TLS negotiation (Section 6) and SASL MUST be used as
defined under SASL negotiation (Section 7). The initial stream and
the response stream MUST be secured separately, although security in
both directions MAY be established via mechanisms that provide mutual
authentication. An entity SHOULD NOT attempt to send XML Stanzas
(Section 9) over the stream before the stream has been authenticated,
but if it does, then the other entity MUST NOT accept such stanzas
and SHOULD return a <not-authorized/> stream error and then terminate
both the XML stream and the underlying TCP connection; note well that
this applies to XML stanzas only (i.e., <message/>, <presence/>, and
<iq/> elements qualified by the default namespace) and not to XML
elements used for stream negotiation (e.g., elements used to complete
TLS negotiation (Section 6) or SASL negotiation (Section 7)).
5.3. Stream Attributes
The attributes of the stream element are as follows:
o from -- In client-to-server communications, the 'from' attribute
SHOULD be included in the XML stream header sent from the
initiating entity to the receiving entity and (if included) MUST
be set to the account name (i.e., "bare JID" = <node@domain>) of
the entity controlling the client. In server-to-server
communications, the 'from' attribute SHOULD be included in the XML
stream header sent from the initiating entity to the receiving
Saint-Andre Expires July 30, 2007 [Page 14]
Internet-Draft XMPP Core January 2007
entity and (if included) MUST be set to a hostname serviced by the
initiating entity. In both client-to-server and server-to-server
communications, the 'from' attribute MUST be included in the XML
stream header by which the receiving entity responds to the
initiating entity and MUST be set to a hostname serviced by the
receiving entity that is granting access to the initiating entity.
Note: Each entity MUST verify the identity of the other entity
before exchanging XML stanzas with it (see the Client-to-Server
Communications (Section 15.3) and Server-to-Server Communications
(Section 15.4) sections of this document for details).
o to -- In both client-to-server and server-to-server
communications, the 'to' attribute SHOULD be included in the XML
stream header sent from the initiating entity to the receiving
entity and (if included) MUST be set to a hostname serviced by the
receiving entity. In client-to-server communications, if the
client included a 'from' address in the initial stream header then
the server SHOULD include a 'to' attribute in the XML stream
header by which it replies to the client and (if included) MUST
set the 'to' attribute to the bare JID specified in the 'from'
attribute of the XML stream header sent from the initiating entity
to the receiving entity. In server-to-server communications, if
the initiating entity included a 'from' address in the initial
stream header then the receiving entity SHOULD include a 'to'
attribute in the XML stream header by which it replies to the
initiating entity and (if included) MUST set the 'to' attribute to
the hostname specified in the 'from' attribute of the XML stream
header sent from the initiating entity to the receiving entity.
Note: Each entity MUST verify the identity of the other entity
before exchanging XML stanzas with it (see the Client-to-Server
Communications (Section 15.3) and Server-to-Server Communications
(Section 15.4) sections of this document for details).
o id -- The 'id' attribute SHOULD be used only in the XML stream
header from the receiving entity to the initiating entity. This
attribute is a unique identifier created by the receiving entity
to function as a identifier for the initiating entity's streams
with the receiving entity, and MUST be unique within the receiving
application (normally a server). Note well that the stream ID may
be security-critical and therefore MUST be both unpredictable and
nonrepeating (see [RANDOM] for recommendations regarding
randomness for security purposes). There SHOULD NOT be an 'id'
attribute on the XML stream header sent from the initiating entity
to the receiving entity; however, if an 'id' attribute is
included, it SHOULD be silently ignored by the receiving entity.
o xml:lang -- An 'xml:lang' attribute (as defined in Section 2.12 of
[XML]) SHOULD be included by the initiating entity on the header
for the initial stream to specify the default language of any
human-readable XML character data it sends over that stream. If
the attribute is included, the receiving entity SHOULD remember
Saint-Andre Expires July 30, 2007 [Page 15]
Internet-Draft XMPP Core January 2007
that value as the default for both the initial stream and the
response stream; if the attribute is not included, the receiving
entity SHOULD use a configurable default value for both streams,
which it MUST communicate in the header for the response stream.
For all stanzas sent over the initial stream, if the initiating
entity does not include an 'xml:lang' attribute, the receiving
entity SHOULD apply the default value; if the initiating entity
does include an 'xml:lang' attribute, the receiving entity MUST
NOT modify or delete it (see also xml:lang (Section 9.1.5)). The
value of the 'xml:lang' attribute MUST be an NMTOKEN (as defined
in Section 2.3 of [XML]) and MUST conform to the format defined in
[LANGTAGS].
o version -- The presence of the version attribute set to a value of
at least "1.0" signals support for the stream-related protocols
(including stream features) defined in this specification.
Detailed rules regarding the generation and handling of this
attribute are defined in the text that follows.
We can summarize as follows:
+----------+--------------------------+-------------------------+
| | initiating to receiving | receiving to initiating |
+----------+--------------------------+-------------------------+
| to | JID of receiver | JID of initiator |
| from | JID of initiator | JID of receiver |
| id | silently ignored | stream identifier |
| xml:lang | default language | default language |
| version | XMPP 1.0 supported | XMPP 1.0 supported |
+----------+--------------------------+-------------------------+
Note: The attributes of the root <stream/> element are not prepended
by a 'stream:' prefix because, in accordance with Section 5.3 of XML
namespaces specification [XML-NAMES], the default namespace does not
apply to attribute names.
5.3.1. Version Support
The version of XMPP specified herein is "1.0"; in particular, this
encapsulates the stream-related protocols (TLS negotiation
(Section 6), SASL negotiation (Section 7), and Stream Errors
(Section 5.8)), as well as the semantics of the three defined XML
stanza types (<message/>, <presence/>, and <iq/>). The numbering
scheme for XMPP versions is "<major>.<minor>". The major and minor
numbers MUST be treated as separate integers and each number MAY be
incremented higher than a single digit. Thus, "XMPP 2.4" would be a
lower version than "XMPP 2.13", which in turn would be lower than
"XMPP 12.3". Leading zeros (e.g., "XMPP 6.01") MUST be ignored by
recipients and MUST NOT be sent.
Saint-Andre Expires July 30, 2007 [Page 16]
Internet-Draft XMPP Core January 2007
The major version number should be incremented only if the stream and
stanza formats or required actions have changed so dramatically that
an older version entity would not be able to interoperate with a
newer version entity if it simply ignored the elements and attributes
it did not understand and took the actions specified in the older
specification. The minor version number indicates new capabilities,
and MUST be ignored by an entity with a smaller minor version number,
but used for informational purposes by the entity with the larger
minor version number. For example, a minor version number might
indicate the ability to process a newly defined value of the 'type'
attribute for message, presence, or IQ stanzas; the entity with the
larger minor version number would simply note that its correspondent
would not be able to understand that value of the 'type' attribute
and therefore would not send it.
The following rules apply to the generation and handling of the
'version' attribute within stream headers by implementations:
1. The initiating entity MUST set the value of the 'version'
attribute on the initial stream header to the highest version
number it supports (e.g., if the highest version number it
supports is that defined in this specification, it MUST set the
value to "1.0").
2. The receiving entity MUST set the value of the 'version'
attribute on the response stream header to either the value
supplied by the initiating entity or the highest version number
supported by the receiving entity, whichever is lower. The
receiving entity MUST perform a numeric comparison on the major
and minor version numbers, not a string match on
"<major>.<minor>".
3. If the version number included in the response stream header is
at least one major version lower than the version number included
in the initial stream header and newer version entities cannot
interoperate with older version entities as described above, the
initiating entity SHOULD generate an <unsupported-version/>
stream error and terminate the XML stream and underlying TCP
connection.
4. If either entity receives a stream header with no 'version'
attribute, the entity MUST consider the version supported by the
other entity to be "0.9" and SHOULD NOT include a 'version'
attribute in the stream header it sends in reply.
5.4. Namespace Declarations
The stream element MUST possess both a streams namespace declaration
and a default namespace declaration (as "namespace declaration" is
defined in the [XML-NAMES]). For detailed information regarding the
streams namespace and default namespace, see Namespace Names and
Saint-Andre Expires July 30, 2007 [Page 17]
Internet-Draft XMPP Core January 2007
Prefixes (Section 12.2).
5.5. Stream Features
If the initiating entity includes the 'version' attribute set to a
value of at least "1.0" in the initial stream header, the receiving
entity MUST send a <features/> child element (prefixed by the streams
namespace prefix) to the initiating entity in order to announce any
stream-level features that can be negotiated (or capabilities that
otherwise need to be advertised). Currently, this is used only to
advertise TLS negotiation (Section 6), SASL negotiation (Section 7),
resource binding (Section 8), and server dialback (Appendix C) as
defined herein; however, the stream features functionality can be
used to advertise other negotiable features as well. If an entity
does not understand or support some features, it SHOULD silently
ignore them. If one or more security features (e.g., TLS and SASL)
need to be successfully negotiated before a non-security-related
feature (e.g., Resource Binding) can be offered, the non-security-
related feature SHOULD NOT be included in the stream features that
are advertised before the relevant security features have been
negotiated. If a feature must be negotiated before the initiating
entity may proceed, that feature SHOULD include a <required/> child
element.
5.6. Closing Streams
At any time after XML streams have been negotiated between two
entities, either entity MAY close its stream to the other entity
(even in the absence of a stream error) by sending a closing stream
tag:
</stream:stream>
The entity that sends the closing stream tag SHOULD wait for the
other entity to also close its stream:
</stream:stream>
However, the entity that sends the first closing stream tag MAY
consider both streams to be void if the other entity does not send
its closing stream tag within a reasonable amount of time (where the
definition of "reasonable" is up to the implementation or
deployment).
After an entity sends a closing stream tag, it MUST NOT send further
data over that stream.
After the entity that sent the first closing stream tag receives a
Saint-Andre Expires July 30, 2007 [Page 18]
Internet-Draft XMPP Core January 2007
reciprocal closing stream tag from the other entity, it MUST
terminate the underlying TCP connection.
5.7. Reconnection
It can happen that an XMPP server goes offline while servicing
connections from clients and from other servers. Because the number
of such connections can be quite large, the reconnection algorithm
employed by entities that seek to reconnect can have a significant
impact on software and network performance. The following guidelines
are RECOMMENDED:
o The time to live (TTL) specified in Domain Name System records
SHOULD be honored, even if DNS results are cached; if the TTL has
not expired, an entity that seeks to reconnect SHOULD NOT re-
resolve DNS before reconnecting.
o The time that expires before an entity first seeks to reconnect
SHOULD be randomized (e.g., so that all clients do not attempt to
reconnect 30 seconds after being disconnected).
o If the first reconnection attempt does not succeed, an entity
SHOULD back off exponentially on the time between subsequent
reconnection attempts.
5.8. Stream Errors
The root stream element MAY contain an <error/> child element that is
prefixed by the streams namespace prefix. The error child MUST be
sent by a compliant entity (usually a server rather than a client) if
it perceives that a stream-level error has occurred.
5.8.1. Rules
The following rules apply to stream-level errors:
o It is assumed that all stream-level errors are unrecoverable;
therefore, if an error occurs at the level of the stream, the
entity that detects the error MUST send a stream error to the
other entity, send a closing </stream> tag, and terminate the
underlying TCP connection.
o If the error occurs while the stream is being set up, the
receiving entity MUST still send the opening <stream> tag, include
the <error/> element as a child of the stream element, send the
closing </stream> tag, and terminate the underlying TCP
connection. In this case, if the initiating entity provides an
unknown host in the 'to' attribute (or provides no 'to' attribute
at all), the server SHOULD provide the server's authoritative
hostname in the 'from' attribute of the stream header sent before
termination.
Saint-Andre Expires July 30, 2007 [Page 19]
Internet-Draft XMPP Core January 2007
5.8.2. Syntax
The syntax for stream errors is as follows:
<stream:error>
<defined-condition xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
[<text xmlns='urn:ietf:params:xml:ns:xmpp-streams'
xml:lang='langcode'>
OPTIONAL descriptive text
</text>]
[OPTIONAL application-specific condition element]
</stream:error>
The <error/> element:
o MUST contain a child element corresponding to one of the defined
stanza error conditions defined in the text that follows; this
element MUST be qualified by the
'urn:ietf:params:xml:ns:xmpp-streams' namespace
o MAY contain a <text/> child containing XML character data that
describes the error in more detail; this element MUST be qualified
by the 'urn:ietf:params:xml:ns:xmpp-streams' namespace and SHOULD
possess an 'xml:lang' attribute specifying the natural language of
the XML character data
o MAY contain a child element for an application-specific error
condition; this element MUST be qualified by an application-
defined namespace, and its structure is defined by that namespace
The <text/> element is OPTIONAL. If included, it SHOULD be used only
to provide descriptive or diagnostic information that supplements the
meaning of a defined condition or application-specific condition. It
SHOULD NOT be interpreted programmatically by an application. It
SHOULD NOT be used as the error message presented to a user, but MAY
be shown in addition to the error message associated with the
included condition element (or elements).
5.8.3. Defined Conditions
The following stream-level error conditions are defined:
o <bad-format/> -- the entity has sent XML that cannot be processed;
this error MAY be used instead of the more specific XML-related
errors, such as <bad-namespace-prefix/>, <invalid-xml/>,
<restricted-xml/>, <unsupported-encoding/>, and <xml-not-well-
formed/>, although the more specific errors are preferred.
o <bad-namespace-prefix/> -- the entity has sent a namespace prefix
that is unsupported, or has sent no namespace prefix on an element
that requires such a prefix (see XML Namespace Names and Prefixes
Saint-Andre Expires July 30, 2007 [Page 20]
Internet-Draft XMPP Core January 2007
(Section 12.2)).
o <conflict/> -- the server is closing the active stream for this
entity because a new stream has been initiated that conflicts with
the existing stream.
o <connection-timeout/> -- the entity has not generated any traffic
over the stream for some period of time (configurable according to
a local service policy).
o <host-gone/> -- the value of the 'to' attribute provided by the
initiating entity in the stream header corresponds to a hostname
that is no longer hosted by the server.
o <host-unknown/> -- the value of the 'to' attribute provided by the
initiating entity in the stream header does not correspond to a
hostname that is hosted by the server.
o <improper-addressing/> -- a stanza sent between two servers lacks
a 'to' or 'from' attribute (or the attribute has no value).
o <internal-server-error/> -- the server has experienced a
misconfiguration or an otherwise-undefined internal error that
prevents it from servicing the stream.
o <invalid-from/> -- the JID or hostname provided in a 'from'
address does not match an authorized JID or validated domain
negotiated between servers via SASL or dialback, or between a
client and a server via authentication and resource binding.
o <invalid-id/> -- the stream ID or dialback ID is invalid or does
not match an ID previously provided.
o <invalid-namespace/> -- the streams namespace name is something
other than "http://etherx.jabber.org/streams" or the dialback
namespace name is something other than "jabber:server:dialback"
(see XML Namespace Names and Prefixes (Section 12.2)).
o <invalid-xml/> -- the entity has sent invalid XML over the stream
to a server that performs validation (see Validation
(Section 12.3)).
o <not-authorized/> -- the entity has attempted to send XML stanzas
before the stream has been authenticated, or otherwise is not
authorized to perform an action related to stream negotiation; the
receiving entity MUST NOT process the offending stanza before
sending the stream error.
o <policy-violation/> -- the entity has violated some local service
policy (e.g., the entity is on a provisioned blacklist); the
server MAY choose to specify the policy in the <text/> element or
an application-specific condition element.
o <remote-connection-failed/> -- the server is unable to properly
connect to a remote entity that is required for authentication or
authorization.
o <resource-constraint/> -- the server lacks the system resources
necessary to service the stream.
o <restricted-xml/> -- the entity has attempted to send restricted
XML features such as a comment, processing instruction, DTD,
entity reference, or unescaped character (see Restrictions
Saint-Andre Expires July 30, 2007 [Page 21]
Internet-Draft XMPP Core January 2007
(Section 12.1)).
o <see-other-host/> -- the server will not provide service to the
initiating entity but is redirecting traffic to another host; the
XML character data of the <see-other-host/> element returned by
the server SHOULD specify the alternate hostname or IP address at
which to connect, which SHOULD be a valid domain identifier but
may also include a port number; if no port is specified, the
initiating entity SHOULD perform a [DNS-SRV] lookup on the
provided domain identifier but MAY assume that it can connect to
that domain identifier at the standard XMPP ports (5222 for
client-to-server connections and 5269 for server-to-server
connections).
o <system-shutdown/> -- the server is being shut down and all active
streams are being closed.
o <undefined-condition/> -- the error condition is not one of those
defined by the other conditions in this list; this error condition
SHOULD be used only in conjunction with an application-specific
condition.
o <unsupported-encoding/> -- the initiating entity has encoded the
stream in an encoding that is not supported by the server (see
Character Encoding (Section 12.5)).
o <unsupported-stanza-type/> -- the initiating entity has sent a
first-level child of the stream that is not supported by the
server.
o <unsupported-version/> -- the value of the 'version' attribute
provided by the initiating entity in the stream header specifies a
version of XMPP that is not supported by the server; the server
MAY specify the version(s) it supports in the <text/> element.
o <xml-not-well-formed/> -- the initiating entity has sent XML that
is not well-formed as defined by [XML].
5.8.4. Application-Specific Conditions
As noted, an application MAY provide application-specific stream
error information by including a properly-namespaced child in the
error element. The application-specific element SHOULD supplement or
further qualify a defined element. Thus the <error/> element will
contain two or three child elements:
<stream:error>
<xml-not-well-formed
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
<text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-streams'>
Some special application diagnostic information!
</text>
<escape-your-data xmlns='application-ns'/>
</stream:error>
</stream:stream>
Saint-Andre Expires July 30, 2007 [Page 22]
Internet-Draft XMPP Core January 2007
5.9. Simplified Stream Examples
This section contains two simplified examples of a stream-based
connection of a client on a server (where the "C" lines are sent from
the client to the server, and the "S" lines are sent from the server
to the client); these examples are included for the purpose of
illustrating the concepts introduced thus far.
A basic connection:
C: <?xml version='1.0'?>
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='juliet@example.com'
to='example.com'
version='1.0'>
S: <?xml version='1.0'?>
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='example.com'
id='someid'
to='juliet@example.com'
version='1.0'>
... encryption, authentication, and resource binding ...
C: <message from='juliet@example.com/balcony'
to='romeo@example.net'
xml:lang='en'>
C: <body>Art thou not Romeo, and a Montague?</body>
C: </message>
S: <message from='romeo@example.net/orchard'
to='juliet@example.com/balcony'
xml:lang='en'>
S: <body>Neither, fair saint, if either thee dislike.</body>
S: </message>
C: </stream:stream>
S: </stream:stream>
Saint-Andre Expires July 30, 2007 [Page 23]
Internet-Draft XMPP Core January 2007
A connection gone bad:
C: <?xml version='1.0'?>
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='juliet@example.com'
to='example.com'
version='1.0'>
S: <?xml version='1.0'?>
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='example.com'
id='someid'
to='juliet@example.com'
version='1.0'>
... encryption, authentication, and resource binding ...
C: <message xml:lang='en'>
<body>Bad XML, no closing body tag!
</message>
S: <stream:error>
<xml-not-well-formed
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
</stream:error>
S: </stream:stream>
More detailed examples are provided under Section 10.
6. TLS Negotiation
6.1. Overview
XMPP includes a method for securing the stream from tampering and
eavesdropping. This channel encryption method makes use of the
Transport Layer Security (TLS) protocol [TLS], along with a
"STARTTLS" extension that is modelled after similar extensions for
the [IMAP], [POP3], and [ACAP] protocols as described in [USINGTLS].
The namespace name for the STARTTLS extension is
'urn:ietf:params:xml:ns:xmpp-tls'.
An administrator of a given domain MAY require the use of TLS for
client-to-server communications, server-to-server communications, or
both. Clients SHOULD use TLS to secure the streams prior to
attempting the completion of SASL negotiation (Section 7), and
Saint-Andre Expires July 30, 2007 [Page 24]
Internet-Draft XMPP Core January 2007
servers SHOULD use TLS between two domains for the purpose of
securing server-to-server communications.
The following rules apply:
1. An initiating entity that complies with this specification MUST
include the 'version' attribute set to a value of "1.0" in the
initial stream header.
2. If the TLS negotiation occurs between two servers,
communications MUST NOT proceed until the Domain Name System
(DNS) hostnames asserted by the servers have been resolved (see
Server-to-Server Communications (Section 15.4)).
3. When a receiving entity that complies with this specification
receives an initial stream header that includes the 'version'
attribute set to a value of at least "1.0", after sending a
stream header in reply (including the version flag), it MUST
include a <starttls/> element (qualified by the
'urn:ietf:params:xml:ns:xmpp-tls' namespace) along with the list
of other stream features it supports.
4. If the initiating entity chooses to use TLS, TLS negotiation
MUST be completed before proceeding to SASL negotiation; this
order of negotiation is required to help safeguard
authentication information sent during SASL negotiation, as well
as to make it possible to base the use of the SASL EXTERNAL
mechanism on a certificate provided during prior TLS
negotiation.
5. During TLS negotiation, an entity MUST NOT send any white space
characters (matching production [3] content of [XML]) within the
root stream element as separators between elements (any white
space characters shown in the TLS examples that follow are
included for the sake of readability only); this prohibition
helps to ensure proper security layer byte precision.
6. The receiving entity MUST consider the TLS negotiation to have
begun immediately after sending the closing ">" character of the
<proceed/> element to the initiating entity. The initiating
entity MUST consider the TLS negotiation to have begun
immediately after receiving the closing ">" character of the
<proceed/> element from the receiving entity.
7. The initiating entity MUST validate the certificate presented by
the receiving entity; see Certificate Validation (Section 15.2)
regarding certificate validation procedures.
8. Certificates MUST be checked against the hostname as provided by
the initiating entity (e.g., a user), not the hostname as
resolved via the Domain Name System; e.g., if the user specifies
a hostname of "example.net" but a [DNS-SRV] lookup returned
"im.example.net", the certificate MUST be checked as
"example.net". If a JID for an XMPP client (e.g., an end user
account) is represented in a certificate, it MUST be represented
Saint-Andre Expires July 30, 2007 [Page 25]
Internet-Draft XMPP Core January 2007
as a UTF8String within an otherName entity inside the
subjectAltName, using the [ASN.1] Object Identifier "id-on-
xmppAddr" specified in Section 6.1.1 of this document. If a JID
for an XMPP server is represented in a certificate, it SHOULD be
represented as a UTF8String within an otherName entity inside
the subjectAltName, using the [ASN.1] Object Identifier "id-on-
xmppAddr" specified in Section 6.1.1 of this document; however,
the JID for an XMPP server MAY also or instead be represented as
a subjectAltName extension of type dNSName, where the dNSName
may contain the wildcard character '*', which applies only to
the left-most domain name component or component fragment and is
considered to match any single component or component fragment
(e.g., *.example.com matches foo.example.com but not
bar.foo.example.com, and im*.example.net matches im1.example.net
and im2.example.net but not chat.example.net).
9. If the TLS negotiation is successful, the initiating entity MUST
send a new stream header to the receiving entity.
10. If the TLS negotiation is successful, the receiving entity MUST
discard any knowledge obtained in an insecure manner from the
initiating entity before TLS takes effect.
11. If the TLS negotiation is successful, the initiating entity MUST
discard any knowledge obtained in an insecure manner from the
receiving entity before TLS takes effect.
12. If the TLS negotiation is successful, the receiving entity MUST
NOT offer the STARTTLS extension to the initiating entity along
with the other stream features that are offered after the new
stream header is received and responded to.
13. If the TLS negotiation is successful, the initiating entity MUST
continue with SASL negotiation.
14. If the TLS negotiation results in failure, the receiving entity
MUST terminate both the XML stream and the underlying TCP
connection.
15. See Mandatory-to-Implement Technologies (Section 15.7) regarding
mechanisms that MUST be supported.
6.1.1. ASN.1 Object Identifier for XMPP Address
The [ASN.1] Object Identifier "id-on-xmppAddr" described above is
defined as follows:
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms
id-on-xmppAddr OBJECT IDENTIFIER ::= { id-on 5 }
XmppAddr ::= UTF8String
Saint-Andre Expires July 30, 2007 [Page 26]
Internet-Draft XMPP Core January 2007
This Object Identifier MAY also be represented in dotted display
format (i.e., "1.3.6.1.5.5.7.8.5") or in the Uniform Resource Name
notation specified in [URN-OID] (i.e., "urn:oid:1.3.6.1.5.5.7.8.5").
Thus for example the JID "example.com" as included in a certificate
might be formatted as "subjectAltName=otherName:
1.3.6.1.5.5.7.8.5;UTF8:example.com".
6.2. Narrative
When an initiating entity secures a stream with a receiving entity
using TLS, the steps involved are as follows:
1. The initiating entity opens a TCP connection and initiates the
stream by sending the opening XML stream header to the receiving
entity, including the 'version' attribute set to a value of at
least "1.0".
2. The receiving entity responds by opening a TCP connection and
sending an XML stream header to the initiating entity, including
the 'version' attribute set to a value of at least "1.0".
3. The receiving entity offers the STARTTLS extension to the
initiating entity by including it with the list of other
supported stream features (if successful TLS negotiation is
required for interaction with the receiving entity, it SHOULD
signal that fact by including a <required/> element as a child of
the <starttls/> element); the receiving entity SHOULD also
include a list of supported SASL mechanisms in the stream
features.
4. The initiating entity issues the STARTTLS command (i.e., a
<starttls/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-tls' namespace) to instruct the
receiving entity that it wishes to begin a TLS negotiation to
secure the stream.
5. The receiving entity MUST reply with either a <proceed/> element
or a <failure/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-tls' namespace. If the failure case
occurs, the receiving entity MUST terminate both the XML stream
and the underlying TCP connection (failure cases include when the
initiating entity sends a malformed STARTTLS command, when the
receiving entity does not offer TLS negotiation either
temporarily or permanently, and when the receiving entity cannot
complete TLS negotiation because of an internal error). If the
proceed case occurs, the entities MUST attempt to complete the
TLS negotiation over the TCP connection and MUST NOT send any
further XML data until the TLS negotiation is complete.
6. The initiating entity and receiving entity attempt to complete a
TLS negotiation in accordance with [TLS].
Saint-Andre Expires July 30, 2007 [Page 27]
Internet-Draft XMPP Core January 2007
7. If the TLS negotiation is unsuccessful, the receiving entity MUST
terminate the TCP connection. If the TLS negotiation is
successful, the initiating entity MUST initiate a new stream by
sending an opening XML stream header to the receiving entity (it
is not necessary to send a closing </stream> tag first, since the
receiving entity and initiating entity MUST consider the original
stream to be closed upon successful TLS negotiation).
8. Upon receiving the new stream header from the initiating entity,
the receiving entity MUST respond by sending a new XML stream
header to the initiating entity along with the available features
(but not including the STARTTLS feature) and SHOULD include an
updated list of SASL mechanisms so that the initiating entity can
detect any changes to the list of SASL mechanisms supported by
the receiving entity.
Examples of TLS negotiation are provided under Section 10.
7. SASL Negotiation
7.1. Overview
XMPP includes a method for authenticating a stream by means of an
XMPP-specific profile of the Simple Authentication and Security Layer
protocol (see [SASL]). SASL provides a generalized method for adding
authentication support to connection-based protocols, and XMPP uses a
generic XML namespace profile for SASL that conforms to the profiling
requirements of [SASL].
The following rules apply:
1. If the SASL negotiation occurs between two servers,
communications MUST NOT proceed until the Domain Name System
(DNS) hostnames asserted by the servers have been resolved (see
Server-to-Server Communications (Section 15.4)).
2. If the initiating entity is capable of SASL negotiation, it MUST
include the 'version' attribute set to a value of at least "1.0"
in the initial stream header.
3. If the receiving entity is capable of SASL negotiation, it MUST
advertise one or more authentication mechanisms within a
<mechanisms/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-sasl' namespace in reply to the
opening stream tag received from the initiating entity (if the
opening stream tag included the 'version' attribute set to a
value of at least "1.0").
4. During SASL negotiation, an entity MUST NOT send any white space
characters (matching production [3] content of [XML]) within the
root stream element as separators between elements (any white
Saint-Andre Expires July 30, 2007 [Page 28]
Internet-Draft XMPP Core January 2007
space characters shown in the SASL examples that follow are
included for the sake of readability only); this prohibition
helps to ensure proper security layer byte precision.
5. Any XML character data contained within the XML elements used
during SASL negotiation MUST be encoded using base64, where the
encoding adheres to the definition in Section 3 of RFC 3548
[BASE64].
6. If the receiving entity does not include a 'realm' value, the
initiating entity must default it to the domain identifier
portion of the receiving entity's JID.
7. If provision of a "simple username" is supported by the selected
SASL mechanism (e.g., this is supported by the DIGEST-MD5 and
CRAM-MD5 mechanisms but not by the EXTERNAL and GSSAPI
mechanisms), during authentication the initiating entity SHOULD
provide as the simple username its sending domain (IP address or
fully qualified domain name as contained in a domain identifier)
in the case of server-to-server communications or its registered
account name (user or node name as contained in an XMPP node
identifier) in the case of client-to-server communications. In
either case, the initiating entity MUST ensure that the username
adheres to the [NAMEPREP] or Nodeprep (Appendix A) profile of
[STRINGPREP] (as appropriate) before sending it to the receiving
entity. (Note: Account provisioning is out of scope for this
specification; possible methods for account provisioning include
account creation by a server administrator and in-band account
registration using the 'jabber:iq:register' namespace as
documented in [XEP-0077].)
8. If the initiating entity wishes to act on behalf of another
entity and the selected SASL mechanism supports transmission of
an authorization identity, the initiating entity MUST provide an
authorization identity during SASL negotiation. If the
initiating entity does not wish to act on behalf of another
entity, it MUST NOT provide an authorization identity. As
specified in [SASL], the initiating entity MUST NOT provide an
authorization identity unless the authorization identity is
different from the default authorization identity derived from
the authentication identity. If provided, the value of the
authorization identity MUST be of the form <domain> (i.e., a
domain identifier only) for servers and of the form
<node@domain> (i.e., node identifier and domain identifier) for
clients.
9. If the SASL negotiation is successful, the initiating entity
MUST send a new stream header to the receiving entity.
10. Upon successful SASL negotiation that involves negotiation of a
security layer, the receiving entity MUST discard any knowledge
obtained from the initiating entity which was not obtained from
the SASL negotiation itself; the receiving entity SHOULD also
send new stream features (including an updated list of SASL
Saint-Andre Expires July 30, 2007 [Page 29]
Internet-Draft XMPP Core January 2007
mechanisms) so that the initiating entity can detect any changes
to the list of mechanisms supported by the receiving entity.
11. Upon successful SASL negotiation that involves negotiation of a
security layer, the initiating entity MUST discard any knowledge
obtained from the receiving entity which was not obtained from
the SASL negotiation itself.
12. See Mandatory-to-Implement Technologies (Section 15.7) regarding
mechanisms that MUST be supported; naturally, other SASL
mechanisms MAY be supported as well (best practices for the use
of several SASL mechanisms in the context of XMPP are described
in [XEP-0175] and [XEP-0178]).
7.2. Narrative
When an initiating entity authenticates with a receiving entity using
SASL, the steps involved are as follows:
1. The initiating entity requests SASL authentication by including
the 'version' attribute in the opening XML stream header sent to
the receiving entity, with the value set to "1.0".
2. After sending an XML stream header in reply, the receiving entity
advertises a list of available SASL authentication mechanisms as
stream features; each of these is a <mechanism/> element included
as a child within a <mechanisms/> container element qualified by
the 'urn:ietf:params:xml:ns:xmpp-sasl' namespace, which in turn
is a child of a <features/> element in the streams namespace. If
TLS negotiation (Section 6) needs to be completed before a
particular authentication mechanism may be used, the receiving
entity MUST NOT provide that mechanism in the list of available
SASL authentication mechanisms prior to TLS negotiation. If the
initiating entity presents a valid certificate during prior TLS
negotiation, the receiving entity SHOULD offer the SASL EXTERNAL
mechanism to the initiating entity during SASL negotiation (refer
to [SASL]), although the EXTERNAL mechanism MAY be offered under
other circumstances as well. If successful SASL negotiation is
required for interaction with the receiving entity, it SHOULD
signal that fact by including a <required/> element as a child of
the <mechanisms/> element.
3. The initiating entity selects a mechanism by sending an <auth/>
element qualified by the 'urn:ietf:params:xml:ns:xmpp-sasl'
namespace to the receiving entity and including an appropriate
value for the 'mechanism' attribute. This element MAY contain
XML character data (in SASL terminology, the "initial response")
if the mechanism supports or requires it; if the initiating
entity needs to send a zero-length initial response, it MUST
transmit the response as a single equals sign ("="), which
indicates that the response is present but contains no data.
Saint-Andre Expires July 30, 2007 [Page 30]
Internet-Draft XMPP Core January 2007
4. If necessary, the receiving entity challenges the initiating
entity by sending to the initiating entity a <challenge/> element
qualified by the 'urn:ietf:params:xml:ns:xmpp-sasl' namespace;
this element MAY contain XML character data (which MUST be
computed in accordance with the definition of the SASL mechanism
chosen by the initiating entity).
5. The initiating entity responds to the challenge by sending to the
receiving entity a <response/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-sasl' namespace; this element MAY
contain XML character data (which MUST be computed in accordance
with the definition of the SASL mechanism chosen by the
initiating entity).
6. If necessary, the receiving entity sends more challenges and the
initiating entity sends more responses.
This series of challenge/response pairs continues until one of three
things happens:
1. The initiating entity aborts the handshake by sending an <abort/>
element qualified by the 'urn:ietf:params:xml:ns:xmpp-sasl'
namespace to the receiving entity. Upon receiving an <abort/>
element, the receiving entity SHOULD allow a configurable but
reasonable number of retries (at least 2), after which it MUST
terminate the TCP connection; this enables the initiating entity
(e.g., an end-user client) to tolerate incorrectly-provided
credentials (e.g., a mistyped password) without being forced to
reconnect.
2. The receiving entity reports failure of the handshake by sending
a <failure/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-sasl' namespace to the initiating
entity (the particular cause of failure SHOULD be communicated in
an appropriate child element of the <failure/> element as defined
under SASL Errors (Section 7.4)). If the failure case occurs,
the receiving entity SHOULD allow a configurable but reasonable
number of retries (at least 2), after which it MUST terminate the
TCP connection; this enables the initiating entity (e.g., an end-
user client) to tolerate incorrectly-provided credentials (e.g.,
a mistyped password) without being forced to reconnect.
3. The receiving entity reports success of the handshake by sending
a <success/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-sasl' namespace to the initiating
entity; this element MAY contain XML character data (in SASL
terminology, "additional data with success") if required by the
chosen SASL mechanism; if the receiving entity needs to send
additional data of zero length, it MUST transmit the data as a
single equals sign ("="). Upon receiving the <success/> element,
the initiating entity MUST initiate a new stream by sending an
opening XML stream header to the receiving entity (it is not
Saint-Andre Expires July 30, 2007 [Page 31]
Internet-Draft XMPP Core January 2007
necessary to send a closing </stream> tag first, since the
receiving entity and initiating entity MUST consider the original
stream to be closed upon sending or receiving the <success/>
element). Upon receiving the new stream header from the
initiating entity, the receiving entity MUST respond by sending a
new XML stream header to the initiating entity, along with any
available features or an empty <features/> element (to signify
that no additional features are available); any such additional
features not defined herein MUST be defined by the relevant
extension to XMPP. As noted, if SASL negotiation involved
establishment of a security layer, the receiving entity SHOULD
send an updated list of SASL mechanisms so that the initiating
entity can detect any changes to the list of mechanisms supported
by the receiving entity.
7.3. SASL Definition
The profiling requirements of [SASL] require that the following
information be supplied by a protocol definition:
service name: "xmpp"
initiation sequence: After the initiating entity provides an opening
XML stream header and the receiving entity replies in kind, the
receiving entity provides a list of acceptable authentication
methods. The initiating entity chooses one method from the list
and sends it to the receiving entity as the value of the
'mechanism' attribute possessed by an <auth/> element, optionally
including an initial response to avoid a round trip.
exchange sequence: Challenges and responses are carried through the
exchange of <challenge/> elements from receiving entity to
initiating entity and <response/> elements from initiating entity
to receiving entity. The receiving entity reports failure by
sending a <failure/> element and success by sending a <success/>
element; the initiating entity aborts the exchange by sending an
<abort/> element. Upon successful negotiation, both sides
consider the original XML stream to be closed and new stream
headers are sent by both entities.
security layer negotiation: The security layer takes effect
immediately after sending the closing ">" character of the
<success/> element for the receiving entity, and immediately after
receiving the closing ">" character of the <success/> element for
the initiating entity. The order of layers is first [TCP], then
[TLS], then [SASL], then XMPP.
use of the authorization identity: The authorization identity may be
used by xmpp to denote the non-default <node@domain> of a client
or the sending <domain> of a server; an empty string is equivalent
to an absent authorization identity.
Saint-Andre Expires July 30, 2007 [Page 32]
Internet-Draft XMPP Core January 2007
7.4. SASL Errors
The following SASL-related error conditions are defined:
o <aborted/> -- The receiving entity acknowledges an <abort/>
element sent by the initiating entity; sent in reply to the
<abort/> element.
o <incorrect-encoding/> -- The data provided by the initiating
entity could not be processed because the [BASE64] encoding is
incorrect (e.g., because the encoding does not adhere to the
definition in Section 3 of [BASE64]); sent in reply to a
<response/> element or an <auth/> element with initial response
data.
o <invalid-authzid/> -- The authzid provided by the initiating
entity is invalid, either because it is incorrectly formatted or
because the initiating entity does not have permissions to
authorize that ID; sent in reply to a <response/> element or an
<auth/> element with initial response data.
o <invalid-mechanism/> -- The initiating entity did not provide a
mechanism or requested a mechanism that is not supported by the
receiving entity; sent in reply to an <auth/> element.
o <malformed-request/> -- The challenge or response is malformed
(e.g., the <auth/> element includes an initial response but the
mechanism does not allow that); sent in reply to an <abort/>,
<auth/>, <challenge/>, or <response/> element.
o <mechanism-too-weak/> -- The mechanism requested by the initiating
entity is weaker than server policy permits for that initiating
entity; sent in reply to a <response/> element or an <auth/>
element with initial response data.
o <not-authorized/> -- The authentication failed because the
initiating entity did not provide proper credentials (this
includes but is not limited to the case of an unknown username,
and no differentiation is made between an unknown username and
incorrect credentials); sent in reply to a <response/> element or
an <auth/> element with initial response data.
o <temporary-auth-failure/> -- The authentication failed because of
a temporary error condition within the receiving entity, and the
initiating entity should try again later; sent in reply to an
<auth/> element or <response/> element.
Examples of SASL negotiation are provided under Section 10.
8. Resource Binding
After a client authenticates with a server, it MUST bind a specific
resource to the stream so that the server can properly address the
client (see addresses (Section 3)) and route XML stanzas to and from
Saint-Andre Expires July 30, 2007 [Page 33]
Internet-Draft XMPP Core January 2007
the client (see stanza delivery rules (Section 11)). That is, there
MUST be a resource identifier associated with the "bare JID"
(<node@domain>) of the client; this ensures that the address for use
over that stream is a "full JID" of the form <node@domain/resource>.
After binding a resource to the stream, the client is referred to as
a CONNECTED RESOURCE.
Upon receiving a success indication within the SASL negotiation, the
client MUST send a new stream header to the server, to which the
server MUST respond with a stream header as well as a list of
available stream features. Specifically, if the server requires the
client to bind a resource to the stream after successful SASL
negotiation, it MUST include a <bind/> element qualified by the
'urn:ietf:params:xml:ns:xmpp-bind' namespace in the stream features
list it presents to the client upon sending the header for the
response stream sent after successful SASL negotiation (but not
before); this <bind/> element SHOULD include an empty <required/>
element as well.
Server advertises resource binding feature to client:
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='example.com'
id='c2s_345'
to='juliet@example.com'
version='1.0'>
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<required/>
</bind>
</stream:features>
Upon being so informed that resource binding is required, the client
MUST bind a resource to the stream by sending to the server an IQ
stanza of type "set" (see IQ Semantics (Section 9.2.3)) containing
data qualified by the 'urn:ietf:params:xml:ns:xmpp-bind' namespace.
If the client wishes to allow the server to generate the resource
identifier on its behalf, it sends an IQ stanza of type "set" that
contains an empty <bind/> element.
Saint-Andre Expires July 30, 2007 [Page 34]
Internet-Draft XMPP Core January 2007
Client asks server to bind a resource:
<iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
</iq>
A server that supports resource binding MUST be able to generate a
resource identifier on behalf of a client. A resource identifier
generated by the server MUST be currently unique for that
<node@domain>.
If the client wishes to specify the resource identifier, it MUST send
an IQ stanza of type "set" that contains the desired resource
identifier as the non-zero-length XML character data of a <resource/>
element that is a child of the <bind/> element.
Client binds a resource:
<iq type='set' id='bind_2'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>balcony</resource>
</bind>
</iq>
Once the server has generated a resource identifier for the client or
accepted the resource identifier provided by the client, it MUST
return an IQ stanza of type "result" to the client, which MUST
include a <jid/> child element that specifies the full JID for the
connected resource as determined by the server.
Server informs client of successful resource binding:
<iq type='result' id='bind_2'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>juliet@example.com/balcony</jid>
</bind>
</iq>
A server SHOULD accept the resource identifier provided by the
client, but MAY override it with a resource identifier that the
server generates; in this case, the server SHOULD NOT return a stanza
error (e.g., <forbidden/>) to the client but instead SHOULD
communicate the generated resource identifier to the client in the IQ
result as shown above.
When a client supplies a resource identifier, the following stanza
error conditions are possible (see Stanza Errors (Section 9.3)):
Saint-Andre Expires July 30, 2007 [Page 35]
Internet-Draft XMPP Core January 2007
o The provided resource identifier cannot be processed by the
server, e.g. because it is not in accordance with Resourceprep
(Appendix B).
o The client is not allowed to bind a resource to the stream (e.g.,
because the node or user has reached a limit on the number of
connected resources allowed).
o The provided resource identifier is already in use but the server
does not allow binding of multiple connected resources with the
same identifier.
The protocol for these error conditions is as follows.
Resource identifier cannot be processed:
<iq type='error' id='bind_2'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</bind>
<error type='modify'>
<bad-request xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
Client is not allowed to bind a resource:
<iq type='error' id='bind_2'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</bind>
<error type='cancel'>
<not-allowed xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
If there is already a connected resource of the same name, the server
MUST do one of the following:
1. Not accept the resource identifier provided by the client but
instead override it with a resource identifier that the server
generates.
2. Terminate the current resource and allow the newly-requested
resource.
3. Disallow the newly-requested resource and maintain the current
resource.
Which of these the server does is up to the implementation, although
it is RECOMMENDED to implement case #1. In case #2, the server MUST
send a <conflict/> stream error to the current resource, terminate
Saint-Andre Expires July 30, 2007 [Page 36]
Internet-Draft XMPP Core January 2007
the XML stream and underlying TCP connection for the current
resource, and return a IQ stanza of type "result" (indicating
success) to the newly-requested resource. In case #3, the server
MUST either (a) return a server-generated resource name or (b) send a
<conflict/> stanza error to the newly-requested resource but maintain
the XML stream for that connection so that the newly-requested
resource has an opportunity to negotiate a non-conflicting resource
identifier before sending another request for resource binding.
Resource identifier is in use:
<iq type='error' id='bind_2'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</bind>
<error type='cancel'>
<conflict xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
If, before completing the resource binding step, the client attempts
to send an outbound XML stanza (i.e., a stanza not directed to the
server itself or to the client's own account), the server MUST NOT
process the stanza and SHOULD return a <not-authorized/> stanza error
to the client.
8.1. Binding Multiple Resources
A server MAY support binding of multiple resources to the same
stream. This functionality is desirable in certain environments
(e.g., for devices that are unable to open more than one TCP
connection or when a machine runs an XMPP client daemon that is used
by multiple applications). If a server supports binding of multiple
resources to a stream, it MUST enable a client to unbind resources.
This shall be completed by sending an IQ-set with a child element of
<unbind/> qualified by the 'urn:ietf:params:xml:ns:xmpp-bind'
namespace, which in turn has a child element of <resource/> whose XML
character data specifies the resource to be unbound:
<iq type='set' id='unbind_1'>
<unbind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>someresource</resource>
</unbind>
</iq>
If the server does not understand the <unbind/> element, it MUST
return an error of <bad-request/>. Otherwise, if there is no such
resource for that stream, the server MUST return an error of <item-
Saint-Andre Expires July 30, 2007 [Page 37]
Internet-Draft XMPP Core January 2007
not-found/>. When the client unbinds the only resource associated
with the stream, the server SHOULD close the stream and terminate the
TCP connection.
A server SHOULD advertise its support for the
'urn:ietf:params:xml:ns:xmpp-bind' namespace by returning an
appropriate stream feature as follows:
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
<unbind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
</stream:features>
When a client binds multiple resources to the same stream, proper
management of 'from' addresses is imperative. In particular, a
client MUST specify a 'from' address on every stanza it sends over a
stream to which it has bound multiple resources, where the 'from'
address is the full JID (<node@domain.tld/resource>) associated with
the relevant resource. If a client does not specify a 'from' address
on a stanza it sends over a stream to which it has bound multiple
resources (or if it specifies as the 'from' address a full JID other
than one of the bound resources), the server MUST return the stanza
to the client with an <unknown-sender/> stanza error.
Naturally, the rules regarding validation of asserted 'from'
addresses still apply (see Section 11).
9. XML Stanzas
After a client has connected to a server or two servers have
connected to each other, either party can send XML stanzas over the
negotiated stream. Three kinds of XML stanza are defined for the
'jabber:client' and 'jabber:server' namespaces: <message/>,
<presence/>, and <iq/>. In addition, there are five common
attributes for these kinds of stanza. These common attributes, as
well as the basic semantics of the three stanza kinds, are defined
herein; more detailed information regarding the syntax of XML stanzas
for instant messaging and presence applications is provided in
[XMPP-IM], and for other applications in the relevant XMPP extension
specifications.
An XML stanza is the basic unit of meaning in XMPP. A server MUST
NOT process, deliver, or route a partial stanza and a server MUST NOT
attach meaning to the transmission timing of any child element within
a stanza.
Saint-Andre Expires July 30, 2007 [Page 38]
Internet-Draft XMPP Core January 2007
9.1. Common Attributes
The following five attributes are common to message, presence, and IQ
stanzas:
9.1.1. to
The 'to' attribute specifies the JID of the intended recipient for
the stanza.
In the 'jabber:client' namespace, a stanza with a specific intended
recipient MUST possess a 'to' attribute, whereas a stanza sent from a
client to a server for direct processing by that server (e.g.,
presence sent to the server for broadcasting to other entities)
SHOULD NOT possess a 'to' attribute.
In the 'jabber:server' namespace, a stanza MUST possess a 'to'
attribute; if a server receives a stanza that does not meet this
restriction, it MUST generate an <improper-addressing/> stream error
condition and terminate both the XML stream and the underlying TCP
connection with the offending server.
If the value of the 'to' attribute is invalid or cannot be contacted,
the entity discovering that fact (usually the sender's or recipient's
server) MUST return an appropriate error to the sender, setting the
'from' attribute of the error stanza to the value provided in the
'to' attribute of the offending stanza.
9.1.2. from
The 'from' attribute specifies the JID of the sender.
When a server receives an XML stanza within the context of an
authenticated stream qualified by the 'jabber:client' namespace, it
MUST do one of the following:
1. validate that the value of the 'from' attribute provided by the
client is that of a connected resource for the associated entity
2. add a 'from' address to the stanza whose value is the full JID
(<node@domain/resource>) determined by the server for the
connected resource that generated the stanza (see Determination
of Addresses (Section 3.5)), or the bare JID (<node@domain>) in
the case of subscription-related presence stanzas (see [XMPP-IM]
for details)
If a client attempts to send an XML stanza for which the value of the
'from' attribute does not exactly match one of the connected
resources for that entity, the server SHOULD return an <invalid-
from/> stream error to the client. If a client attempts to send an
Saint-Andre Expires July 30, 2007 [Page 39]
Internet-Draft XMPP Core January 2007
XML stanza over a stream that is not yet authenticated, the server
SHOULD return a <not-authorized/> stream error to the client. If
generated, both of these conditions MUST result in closure of the
stream and termination of the underlying TCP connection; this helps
to prevent a denial of service attack launched from a rogue client.
When a server generates a stanza from the server itself for delivery
to a connected client (e.g., in the context of data storage services
provided by the server on behalf of the client), the stanza MUST
either (1) not include a 'from' attribute or (2) include a 'from'
attribute whose value is the account's bare JID (<node@domain>) or
connected resource's full JID (<node@domain/resource>). A server
MUST NOT send to the client a stanza without a 'from' attribute if
the stanza was not generated by the server itself. When a client
receives a stanza that does not include a 'from' attribute, it MUST
assume that the stanza is from the server to which the client is
connected.
In the 'jabber:server' namespace, a stanza MUST possess a 'from'
attribute; if a server receives a stanza that does not meet this
restriction, it MUST generate an <improper-addressing/> stream error
condition. Furthermore, the domain identifier portion of the JID
contained in the 'from' attribute MUST match the hostname of the
sending server (or any validated domain thereof, such as a validated
subdomain of the sending server's hostname or another validated
domain hosted by the sending server) as communicated in the SASL
negotiation or dialback negotiation; if a server receives a stanza
that does not meet this restriction, it MUST generate an <invalid-
from/> stream error condition. Both of these conditions MUST result
in closure of the stream and termination of the underlying TCP
connection; this helps to prevent a denial of service attack launched
from a rogue server.
9.1.3. id
The optional 'id' attribute MAY be used by a sending entity for
internal tracking of stanzas that it sends and receives (especially
for tracking the request-response interaction inherent in the
semantics of IQ stanzas). It is OPTIONAL for the value of the 'id'
attribute to be unique globally, within a domain, or within a stream.
The semantics of IQ stanzas impose additional restrictions; see IQ
Semantics (Section 9.2.3).
9.1.4. type
The 'type' attribute specifies detailed information about the purpose
or context of the message, presence, or IQ stanza. The particular
allowable values for the 'type' attribute vary depending on whether
Saint-Andre Expires July 30, 2007 [Page 40]
Internet-Draft XMPP Core January 2007
the stanza is a message, presence, or IQ; the values for message and
presence stanzas are specific to instant messaging and presence
applications and therefore are defined in [XMPP-IM], whereas the
values for IQ stanzas specify the role of an IQ stanza in a
structured request-response "conversation" and thus are defined under
IQ Semantics (Section 9.2.3) below. The only 'type' value common to
all three stanzas is "error"; see Stanza Errors (Section 9.3).
9.1.5. xml:lang
A stanza SHOULD possess an 'xml:lang' attribute (as defined in
Section 2.12 of [XML]) if the stanza contains XML character data that
is intended to be presented to a human user (as explained in
[CHARSET], "internationalization is for humans"). The value of the
'xml:lang' attribute specifies the default language of any such
human-readable XML character data, which MAY be overridden by the
'xml:lang' attribute of a specific child element. If a stanza does
not possess an 'xml:lang' attribute, an implementation MUST assume
that the default language is that specified for the stream as defined
under Stream Attributes (Section 5.3) above. The value of the 'xml:
lang' attribute MUST be an NMTOKEN and MUST conform to the format
defined in [LANGTAGS].
9.2. Basic Semantics
9.2.1. Message Semantics
The <message/> stanza kind can be seen as a "push" mechanism whereby
one entity pushes information to another entity, similar to the
communications that occur in a system such as email. All message
stanzas SHOULD possess a 'to' attribute that specifies the intended
recipient of the message; upon receiving such a stanza, a server
SHOULD route or deliver it to the intended recipient (see Server
Rules for Handling XML Stanzas (Section 11) for general routing and
delivery rules related to XML stanzas).
9.2.2. Presence Semantics
The <presence/> element can be seen as a specialized broadcast or
"publish-subscribe" mechanism, whereby multiple entities receive
information about an entity to which they have subscribed (in this
case, network availability information). In general, a publishing
entity SHOULD send a presence stanza with no 'to' attribute, in which
case the server to which the entity is connected SHOULD broadcast or
multiplex that stanza to all subscribing entities. However, a
publishing entity MAY also send a presence stanza with a 'to'
attribute, in which case the server SHOULD route or deliver that
stanza to the intended recipient. See Server Rules for Handling XML
Saint-Andre Expires July 30, 2007 [Page 41]
Internet-Draft XMPP Core January 2007
Stanzas (Section 11) for general routing and delivery rules related
to XML stanzas, and [XMPP-IM] for rules specific to presence
applications.
9.2.3. IQ Semantics
Info/Query, or IQ, is a request-response mechanism, similar in some
ways to [HTTP]. The semantics of IQ enable an entity to make a
request of, and receive a response from, another entity. The data
content of the request and response is defined by the schema or other
structural definition associated with the XML namespace that
qualifies the direct child element of the IQ element (see extended
namespaces (Section 9.4)), and the interaction is tracked by the
requesting entity through use of the 'id' attribute. Thus, IQ
interactions follow a common pattern of structured data exchange such
as get/result or set/result (although an error may be returned in
reply to a request if appropriate):
Requesting Responding
Entity Entity
---------- ----------
| |
| <iq type='get' id='1'> |
| ------------------------> |
| |
| <iq type='result' id='1'> |
| <------------------------ |
| |
| <iq type='set' id='2'> |
| ------------------------> |
| |
| <iq type='error' id='2'> |
| <------------------------ |
| |
In order to enforce these semantics, the following rules apply:
1. The 'id' attribute is REQUIRED for IQ stanzas.
2. The 'type' attribute is REQUIRED for IQ stanzas. The value MUST
be one of the following:
* get -- The stanza is a request for information or
requirements.
* set -- The stanza provides required data, sets new values, or
replaces existing values.
* result -- The stanza is a response to a successful get or set
request.
Saint-Andre Expires July 30, 2007 [Page 42]
Internet-Draft XMPP Core January 2007
* error -- An error has occurred regarding processing or
delivery of a previously-sent get or set (see Stanza Errors
(Section 9.3)).
3. An entity that receives an IQ request of type "get" or "set" MUST
reply with an IQ response of type "result" or "error" (the
response MUST preserve the 'id' attribute of the request).
4. An entity that receives a stanza of type "result" or "error" MUST
NOT respond to the stanza by sending a further IQ response of
type "result" or "error"; however, as shown above, the requesting
entity MAY send another request (e.g., an IQ of type "set" in
order to provide required information discovered through a get/
result pair).
5. An IQ stanza of type "get" or "set" MUST contain one and only one
child element that specifies the semantics of the particular
request or response.
6. An IQ stanza of type "result" MUST include zero or one child
elements.
7. An IQ stanza of type "error" SHOULD include the child element
contained in the associated "get" or "set" and MUST include an
<error/> child; for details, see Stanza Errors (Section 9.3).
9.3. Stanza Errors
Stanza-related errors are handled in a manner similar to stream
errors (Section 5.8). However, unlike stream errors, stanza errors
are recoverable; therefore error stanzas include hints regarding
actions that the original sender can take in order to remedy the
error.
9.3.1. Rules
The following rules apply to stanza-related errors:
o The receiving or processing entity that detects an error condition
in relation to a stanza SHOULD return an "error stanza" (and MUST
do so for IQ stanzas), where such an "error stanza" is a stanza of
the same kind (message, presence, or IQ) whose 'type' attribute is
set to a value of "error".
o The entity that generates an error stanza SHOULD include the
original XML sent so that the sender can inspect and, if
necessary, correct the XML before attempting to resend.
o An error stanza MUST contain an <error/> child element.
o An <error/> child MUST NOT be included if the 'type' attribute has
a value other than "error" (or if there is no 'type' attribute).
o An entity that receives an error stanza MUST NOT respond to the
stanza with a further error stanza; this helps to prevent looping.
Saint-Andre Expires July 30, 2007 [Page 43]
Internet-Draft XMPP Core January 2007
9.3.2. Syntax
The syntax for stanza-related errors is as follows:
<stanza-kind to='sender' type='error'>
[RECOMMENDED to include sender XML here]
<error type='error-type'>
<defined-condition xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
[<text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'
xml:lang='langcode'>
OPTIONAL descriptive text
</text>]
[OPTIONAL application-specific condition element]
</error>
</stanza-kind>
The "stanza-kind" is one of message, presence, or iq.
The value of the <error/> element's 'type' attribute MUST be one of
the following:
o cancel -- do not retry (the error is unrecoverable)
o continue -- proceed (the condition was only a warning)
o modify -- retry after changing the data sent
o auth -- retry after providing credentials
o wait -- retry after waiting (the error is temporary)
The <error/> element:
o MUST contain a child element corresponding to one of the defined
stanza error conditions specified below; this element MUST be
qualified by the 'urn:ietf:params:xml:ns:xmpp-stanzas' namespace.
o MAY contain a <text/> child containing XML character data that
describes the error in more detail; this element MUST be qualified
by the 'urn:ietf:params:xml:ns:xmpp-stanzas' namespace and SHOULD
possess an 'xml:lang' attribute.
o MAY contain a child element for an application-specific error
condition; this element MUST be qualified by an application-
defined namespace, and its structure is defined by that namespace.
The <text/> element is OPTIONAL. If included, it SHOULD be used only
to provide descriptive or diagnostic information that supplements the
meaning of a defined condition or application-specific condition. It
SHOULD NOT be interpreted programmatically by an application. It
SHOULD NOT be used as the error message presented to a user, but MAY
be shown in addition to the error message associated with the
included condition element (or elements).
Saint-Andre Expires July 30, 2007 [Page 44]
Internet-Draft XMPP Core January 2007
Finally, to maintain backward compatibility, the schema (specified in
[XMPP-IM]) allows the optional inclusion of a 'code' attribute on the
<error/> element; for details, see [XEP-0086].
9.3.3. Defined Conditions
The following conditions are defined for use in stanza errors.
o <bad-request/> -- the sender has sent XML that is malformed or
that cannot be processed (e.g., an IQ stanza that includes an
unrecognized value of the 'type' attribute); the associated error
type SHOULD be "modify".
o <conflict/> -- access cannot be granted because an existing
resource exists with the same name or address; the associated
error type SHOULD be "cancel".
o <feature-not-implemented/> -- the feature requested is not
implemented by the recipient or server and therefore cannot be
processed; the associated error type SHOULD be "cancel" or
"modify".
o <forbidden/> -- the requesting entity does not possess the
required permissions to perform the action; the associated error
type SHOULD be "auth".
o <gone/> -- the recipient or server can no longer be contacted at
this address (the error stanza MAY contain a new address in the
XML character data of the <gone/> element); the associated error
type SHOULD be "cancel" or "modify".
o <internal-server-error/> -- the server could not process the
stanza because of a misconfiguration or an otherwise-undefined
internal server error; the associated error type SHOULD be "wait".
o <item-not-found/> -- the addressed JID or item requested cannot be
found; the associated error type SHOULD be "cancel".
o <jid-malformed/> -- the sending entity has provided or
communicated an XMPP address (e.g., a value of the 'to' attribute)
or aspect thereof (e.g., a resource identifier) that does not
adhere to the syntax defined under Addresses (Section 3); the
associated error type SHOULD be "modify".
o <not-acceptable/> -- the recipient or server understands the
request but is refusing to process it because it does not meet
criteria defined by the recipient or server (e.g., a local policy
regarding stanza size limits or acceptable words in messages); the
associated error type SHOULD be "modify".
o <not-allowed/> -- the recipient or server does not allow any
entity to perform the action (e.g., sending to entities at a
blacklisted domain); the associated error type SHOULD be "cancel".
o <not-authorized/> -- the sender must provide proper credentials
before being allowed to perform the action, or has provided
improper credentials; the associated error type SHOULD be "auth".
Saint-Andre Expires July 30, 2007 [Page 45]
Internet-Draft XMPP Core January 2007
o <not-modified/> -- the item requested has not changed since it was
last requested; the associated error type SHOULD be "continue".
o <payment-required/> -- the requesting entity is not authorized to
access the requested service because payment is required; the
associated error type SHOULD be "auth".
o <recipient-unavailable/> -- the intended recipient is temporarily
unavailable; the associated error type SHOULD be "wait" (note: an
application MUST NOT return this error if doing so would provide
information about the intended recipient's network availability to
an entity that is not authorized to know such information).
o <redirect/> -- the recipient or server is redirecting requests for
this information to another entity, usually temporarily (the error
stanza SHOULD contain the alternate address, which MUST be a valid
JID, in the XML character data of the <redirect/> element); the
associated error type SHOULD be "modify".
o <registration-required/> -- the requesting entity is not
authorized to access the requested service because prior
registration is required; the associated error type SHOULD be
"auth".
o <remote-server-not-found/> -- a remote server or service specified
as part or all of the JID of the intended recipient does not
exist; the associated error type SHOULD be "cancel".
o <remote-server-timeout/> -- a remote server or service specified
as part or all of the JID of the intended recipient (or required
to fulfill a request) could not be contacted within a reasonable
amount of time; the associated error type SHOULD be "wait".
o <resource-constraint/> -- the server or recipient lacks the system
resources necessary to service the request; the associated error
type SHOULD be "wait".
o <service-unavailable/> -- the server or recipient does not
currently provide the requested service; the associated error type
SHOULD be "cancel".
o <subscription-required/> -- the requesting entity is not
authorized to access the requested service because a subscription
is required; the associated error type SHOULD be "auth".
o <undefined-condition/> -- the error condition is not one of those
defined by the other conditions in this list; any error type may
be associated with this condition, and it SHOULD be used only in
conjunction with an application-specific condition.
o <unexpected-request/> -- the recipient or server understood the
request but was not expecting it at this time (e.g., the request
was out of order); the associated error type SHOULD be "wait" or
"modify".
o <unknown-sender/> -- the stanza 'from' address specified by a
remote server or connected client is not known to the receiving
server or is not valid for the stream; the associated error type
SHOULD be "modify".
Saint-Andre Expires July 30, 2007 [Page 46]
Internet-Draft XMPP Core January 2007
9.3.4. Application-Specific Conditions
As noted, an application MAY provide application-specific stanza
error information by including a properly-namespaced child in the
error element. The application-specific element SHOULD supplement or
further qualify a defined element. Thus, the <error/> element will
contain two or three child elements:
<iq type='error' id='some-id'>
<error type='modify'>
<bad-request xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<too-many-parameters xmlns='application-ns'/>
</error>
</iq>
<message type='error' id='another-id'>
<error type='modify'>
<undefined-condition
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<text xml:lang='en'
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>
Some special application diagnostic information...
</text>
<special-application-condition xmlns='application-ns'/>
</error>
</message>
9.4. Extended Namespaces
While the message, presence, and IQ stanza kinds provide basic
semantics for messaging, availability, and request-response
interactions, XMPP uses XML namespaces to extend the stanzas for the
purpose of providing additional functionality. Thus a message or
presence stanza MAY contain one or more optional child elements
specifying content that extends the meaning of the message (e.g., an
XHTML-formatted version of the message body as described in
[XEP-0071]), and an IQ stanza MAY contain one such child element.
This child element MAY have any name and MUST possess an 'xmlns'
namespace declaration (other than "jabber:client", "jabber:server",
or "http://etherx.jabber.org/streams") that defines all data
contained within the child element. Such a child element is said to
be defined by an EXTENDED NAMESPACE.
Support for any given extended namespace is OPTIONAL on the part of
any implementation. If an entity does not understand such a
namespace, the entity's expected behavior depends on whether the
entity is (1) the recipient or (2) an entity that is routing the
Saint-Andre Expires July 30, 2007 [Page 47]
Internet-Draft XMPP Core January 2007
stanza to the recipient:
Recipient: If a recipient receives a stanza that contains a child
element it does not understand, it SHOULD ignore that specific XML
data, i.e., it SHOULD not process it or present it to a user or
associated application (if any). In particular:
* If an entity receives a message or presence stanza that
contains XML data qualified by a namespace it does not
understand, the portion of the stanza that is in the unknown
namespace SHOULD be ignored.
* If an entity receives a message stanza whose only child element
is qualified by a namespace it does not understand, it MUST
ignore the entire stanza.
* If an entity receives an IQ stanza of type "get" or "set"
containing a child element qualified by a namespace it does not
understand, the entity SHOULD return an IQ stanza of type
"error" with an error condition of <service-unavailable/>.
Router: If a routing entity (usually a server) handles a stanza that
contains a child element it does not understand, it SHOULD ignore
the associated XML data by passing it on untouched to the
recipient.
10. Examples
10.1. Client-to-Server
The following examples show the data flow for a client negotiating an
XML stream with a server, exchanging XML stanzas, and closing the
negotiated stream. The server is "example.com", the server requires
use of TLS, the client authenticates via the SASL DIGEST-MD5
mechanism as "juliet@example.com", and the client binds the resource
"balcony" to the stream. (Note: The alternate steps shown below are
provided to illustrate the protocol for failure cases; they are not
exhaustive and would not necessarily be triggered by the data sent in
the examples.)
Step 1: Client initiates stream to server:
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='juliet@example.com'
to='example.com'
version='1.0'>
Saint-Andre Expires July 30, 2007 [Page 48]
Internet-Draft XMPP Core January 2007
Step 2: Server responds by sending a stream header to client:
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='example.com'
id='c2s_123'
to='juliet@example.com'
version='1.0'>
Step 3: Server sends stream features to client (STARTTLS extension
and authentication mechanisms):
<stream:features>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
<required/>
</starttls>
</stream:features>
Step 4: Client sends STARTTLS command to server:
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
Step 5: Server informs client that it is allowed to proceed:
<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
Step 5 (alt): Server informs client that TLS negotiation has failed
and closes both XML stream and TCP connection:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
</stream:stream>
Step 6: Client and server attempt to complete TLS negotiation over
the existing TCP connection (see [TLS] for details).
Step 7: If TLS negotiation is successful, client initiates a new
stream to server:
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='juliet@example.com'
to='example.com'
version='1.0'>
Saint-Andre Expires July 30, 2007 [Page 49]
Internet-Draft XMPP Core January 2007
Step 7 (alt): If TLS negotiation is unsuccessful, server closes TCP
connection.
Step 8: Server responds by sending a stream header to client along
with any available stream features (notice that the server now shows
a different set of SASL mechanisms; here the server accepts the SASL
PLAIN mechanism once the stream has been secured via TLS):
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='example.com'
id='c2s_234'
to='juliet@example.com'
version='1.0'>
<stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism>
<required/>
</mechanisms>
</stream:features>
Step 9: Client selects an authentication mechanism, in this case
[DIGEST-MD5] with an empty authorization identity ("="):
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'>=</auth>
Step 10: Server sends a [BASE64] encoded challenge to client:
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09ImV4YW1wbGUuY29tIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0i
YXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3MK
</challenge>
The decoded challenge is:
realm="example.com",nonce="OA6MG9tEQGm2hh",
qop="auth",charset=utf-8,algorithm=md5-sess
Note: When the server sends a DIGEST-MD5 challenge to the client, the
qop list must be quoted since it is a list rather than a single item
(even if there is only one item in the list); however, when the
client sends its response to the server (see below), the qop must not
be quoted since it is a single item rather than a list.
Saint-Andre Expires July 30, 2007 [Page 50]
Internet-Draft XMPP Core January 2007
Step 10 (alt): Server returns error to client:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<temporary-auth-failure/>
</failure>
</stream:stream>
Step 11: Client sends a [BASE64] encoded response to the challenge:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9Imp1bGlldCIscmVhbG09ImV4YW1wbGUuY29tIixub25jZT0iT0E2
TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAwMDAwMDAx
LHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20iLHJlc3BvbnNl
PWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNoYXJzZXQ9dXRmLTgK
</response>
The decoded response is:
username="juliet",realm="example.com",
nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk",
nc=00000001,qop=auth,digest-uri="xmpp/example.com",
response=d388dad90d4bbd760a152321f2143af7,charset=utf-8
Step 12: Server informs client of success and includes [BASE64]
encoded value for subsequent authentication:
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</success>
The decoded value for subsequent authentication is:
rspauth=ea40f60335c427b5527b84dbabcdfffd
Step 12 (alt): Server returns error to client:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<temporary-auth-failure/>
</failure>
</stream:stream>
Saint-Andre Expires July 30, 2007 [Page 51]
Internet-Draft XMPP Core January 2007
Step 13: Client initiates a new stream to server:
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='juliet@example.com'
to='example.com'
version='1.0'>
Step 14: Server responds by sending a stream header to client along
with supported features (in this case resource binding):
<stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xml:lang='en'
from='example.com'
id='c2s_345'
to='juliet@example.com'
version='1.0'>
<stream:features>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<required/>
</bind>
</stream:features>
Upon being so informed that resource binding is required, the client
MUST bind a resource to the stream; here we assume that the client
binds a resource called "balcony".
Step 15: Client binds a resource:
<iq type='set' id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<resource>balcony</resource>
</bind>
</iq>
Saint-Andre Expires July 30, 2007 [Page 52]
Internet-Draft XMPP Core January 2007
Step 16: Server informs client of successful resource binding:
<iq type='result'
to='juliet@example.com/balcony'
id='bind_1'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>juliet@example.com/balcony</jid>
</bind>
</iq>
Now the client is allowed to send XML stanzas over the negotiated
stream.
Client sends XML stanza to other entity:
<message from='juliet@example.com/balcony'
to='romeo@example.net'
xml:lang='en'>
<body>Art thou not Romeo, and a Montague?</body>
</message>
If necessary, sender's server negotiates XML streams with intended
recipient's server (see Server-to-Server Examples (Section 10.2)).
The intended recipient replies and the message is delivered to the
client.
Client receives XML stanza from other entity:
<message from='romeo@example.net/orchard'
to='juliet@example.com/balcony'
xml:lang='en'>
<body>Neither, fair saint, if either thee dislike.</body>
</message>
Desiring to send no further messages, the client closes the stream.
Client closes the stream:
</stream:stream>
Consistent with the recommended stream closing handshake, server
closes stream as well:
Server closes the stream:
</stream:stream>
Saint-Andre Expires July 30, 2007 [Page 53]
Internet-Draft XMPP Core January 2007
Client now terminates the underlying TCP connection.
10.2. Server-to-Server Examples
The following examples show the data flow for a server negotiating an
XML stream with another server, exchanging XML stanzas, and closing
the negotiated stream. The initiating server ("Server1") is
"example.com"; the receiving server ("Server2") is example.net and it
requires use of TLS; example.com presents a certificate and
authenticates via the SASL EXTERNAL mechanism. (Note: The alternate
steps shown below are provided to illustrate the protocol for failure
cases; they are not exhaustive and would not necessarily be triggered
by the data sent in the examples.)
Step 1: Server1 initiates stream to Server2:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
to='example.net'
version='1.0'>
Step 2: Server2 responds by sending a stream tag to Server1:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.net'
id='s2s_123'
to='example.com'
version='1.0'>
Step 3: Server2 sends stream features to Server1 (STARTTLS extension
and authentication mechanisms):
<stream:features>
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
<required/>
</starttls>
</stream:features>
Step 4: Server1 sends the STARTTLS command to Server2:
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
Saint-Andre Expires July 30, 2007 [Page 54]
Internet-Draft XMPP Core January 2007
Step 5: Server2 informs Server1 that it is allowed to proceed:
<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
Step 5 (alt): Server2 informs Server1 that TLS negotiation has failed
and closes stream:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
</stream:stream>
Step 6: Server1 and Server2 attempt to complete TLS negotiation via
TCP.
Step 7: If TLS negotiation is successful, Server1 initiates a new
stream to Server2:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
to='example.net'
version='1.0'>
Step 7 (alt): If TLS negotiation is unsuccessful, Server2 closes TCP
connection.
Step 8: Server2 responds by sending a stream header to Server1 along
with available stream features (notice that Server2 now prefers the
SASL EXTERNAL mechanism):
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.net'
id='s2s_234'
to='example.com'
version='1.0'>
<stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>EXTERNAL</mechanism>
<mechanism>DIGEST-MD5</mechanism>
<required/>
</mechanisms>
</stream:features>
Saint-Andre Expires July 30, 2007 [Page 55]
Internet-Draft XMPP Core January 2007
Step 9: Server1 selects the EXTERNAL mechanism, in this case with an
authorization identity encoded according to [BASE64]:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='EXTERNAL'/>ZXhhbXBsZS5jb20K</auth>
The decoded authorization identity is "example.com".
Step 10: Server2 determines that the authorization identity provided
by Server1 matches the valid id-xmppAddr-on or Common Name in the
presented certificate and therefore returns success:
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 11 (alt): Server2 informs Server1 of failed authentication:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<not-authorized/>
</failure>
</stream:stream>
Step 12: Server1 initiates a new stream to Server2:
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
to='example.net'
version='1.0'>
Step 13: Server2 responds by sending a stream header to Server1 along
with any additional features (or, in this case, an empty features
element):
<stream:stream
xmlns='jabber:server'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.net'
id='s2s_345'
to='example.com'
version='1.0'>
<stream:features/>
Now Server1 is allowed to send XML stanzas to Server2 over the
negotiated stream; here we assume that the transferred stanzas are
those shown earlier for client-to-server communications.
Saint-Andre Expires July 30, 2007 [Page 56]
Internet-Draft XMPP Core January 2007
Server1 sends XML stanza to Server2:
<message from='juliet@example.com/balcony'
to='romeo@example.net'
xml:lang='en'>
<body>Art thou not Romeo, and a Montague?</body>
</message>
The intended recipient replies and the message is delivered from
Server2 to Server1.
Server2 sends XML stanza to Server1:
<message from='romeo@example.net/orchard'
to='juliet@example.com/balcony'
xml:lang='en'>
<body>Neither, fair saint, if either thee dislike.</body>
</message>
Desiring to send no further messages, Server1 closes the stream. (In
practice, the stream would most likely remain open for some time,
since Server1 and Server2 do not immediately know if the stream will
be needed for further communications.)
Server1 closes the stream:
</stream:stream>
Consistent with the recommended stream closing handshake, Server2
closes stream as well:
Server2 closes the stream:
</stream:stream>
Server1 now terminates the underlying TCP connection.
11. Server Rules for Handling XML Stanzas
Compliant server implementations MUST ensure in-order processing of
XML stanzas between any two entities. This includes stanzas sent by
a client to its server for direct processing by the server.
Beyond the requirement for in-order processing, each server
implementation will contain its own "delivery tree" for handling
stanzas it receives. Such a tree determines whether a stanza needs
to be routed to another domain, processed direct, or delivered to a
Saint-Andre Expires July 30, 2007 [Page 57]
Internet-Draft XMPP Core January 2007
resource associated with a connected node. The following rules
apply.
11.1. No 'to' Address
If the stanza possesses no 'to' attribute, the server SHOULD process
it directly on behalf of the entity that sent it. Because all
stanzas received from other servers MUST possess a 'to' attribute,
this rule applies only to stanzas received from a registered entity
(such as a client) that is connected to the server. If the server
receives a presence stanza with no 'to' attribute, the server SHOULD
broadcast it to the entities that are subscribed to the sending
entity's presence, if applicable (the semantics of presence broadcast
for presence applications are defined in [XMPP-IM]). If the server
receives an IQ stanza of type "get" or "set" with no 'to' attribute
and it understands the namespace that qualifies the content of the
stanza, it MUST either process the stanza directly on behalf of
sending entity (where the meaning of "process" is determined by the
semantics of the qualifying namespace) or return an error to the
sending entity.
11.2. Foreign Domain
If the hostname of the domain identifier portion of the JID contained
in the 'to' attribute does not match one of the configured hostnames
of the server itself or a configured subdomain thereof, the server
SHOULD route the stanza to the foreign domain (subject to local
service provisioning and security policies regarding inter-domain
communication, since such communication is OPTIONAL). There are two
possible cases:
A server-to-server stream already exists between the two domains:
The sender's server routes the stanza to the authoritative server
for the foreign domain over the existing stream
There exists no server-to-server stream between the two domains: The
sender's server (1) resolves the hostname of the foreign domain
(as defined under Server-to-Server Communications (Section 15.4)),
(2) negotiates a server-to-server stream between the two domains
(as defined under TLS negotiation (Section 6) and SASL negotiation
(Section 7)), and (3) routes the stanza to the authoritative
server for the foreign domain over the newly-established stream
If routing to the recipient's server is unsuccessful, the sender's
server MUST return an error to the sender; if the recipient's server
can be contacted but delivery by the recipient's server to the
recipient is unsuccessful, the recipient's server MUST return an
error to the sender by way of the sender's server.
Saint-Andre Expires July 30, 2007 [Page 58]
Internet-Draft XMPP Core January 2007
11.3. Subdomain
If the hostname of the domain identifier portion of the JID contained
in the 'to' attribute matches a subdomain of one of the configured
hostnames of the server itself, the server MUST either process the
stanza itself or route the stanza to a specialized service that is
responsible for that subdomain (if the subdomain is configured), or
return an error to the sender (if the subdomain is not configured).
11.4. Mere Domain or Specific Resource
If the hostname of the domain identifier portion of the JID contained
in the 'to' attribute matches a configured hostname of the server
itself and the JID contained in the 'to' attribute is of the form
<domain> or <domain/resource>, the server (or a defined resource
thereof) MUST either process the stanza as appropriate for the stanza
kind or return an error stanza to the sender.
11.5. Node in Same Domain
If the hostname of the domain identifier portion of the JID contained
in the 'to' attribute matches a configured hostname of the server
itself and the JID contained in the 'to' attribute is of the form
<node@domain> or <node@domain/resource>, the server SHOULD deliver
the stanza to the intended recipient of the stanza as represented by
the JID contained in the 'to' attribute. The following rules apply:
1. If the JID contains a resource identifier (i.e., is of the form
<node@domain/resource>) and there exists a connected resource
that exactly matches the full JID, the recipient's server SHOULD
deliver the stanza to the stream or connection that exactly
matches the resource identifier.
2. If the JID contains a resource identifier and there exists no
connected resource that exactly matches the full JID, the
recipient's server SHOULD return a <service-unavailable/> stanza
error to the sender.
3. If the JID is of the form <node@domain> and there exists at least
one connected resource for the node, the recipient's server
SHOULD deliver the stanza to at least one of the connected
resources, according to application-specific rules.
Particular XMPP applications MAY specify delivery rules that modify
or supplement the foregoing rules; for example, a set of delivery
rules for instant messaging and presence applications is defined in
[XMPP-IM].
Saint-Andre Expires July 30, 2007 [Page 59]
Internet-Draft XMPP Core January 2007
12. XML Usage
12.1. Restrictions
XMPP is a simplified and specialized protocol for streaming XML
elements in order to exchange structured information in close to real
time. Because XMPP does not require the parsing of arbitrary and
complete XML documents, there is no requirement that XMPP needs to
support the full feature set of [XML]. In particular, the following
restrictions apply.
With regard to XML generation, an XMPP implementation MUST NOT inject
into an XML stream any of the following:
o comments (as defined in Section 2.5 of [XML])
o processing instructions (Section 2.6 therein)
o internal or external DTD subsets (Section 2.8 therein)
o internal or external entity references (Section 4.2 therein) with
the exception of predefined entities (Section 4.6 therein)
o character data or attribute values containing unescaped characters
that map to the predefined entities (Section 4.6 therein); such
characters MUST be escaped
With regard to XML processing, if an XMPP implementation receives
such restricted XML data, it MUST return a <restricted-xml/> stream
error.
12.2. XML Namespace Names and Prefixes
XML namespaces (see [XML-NAMES]) are used within all XMPP-compliant
XML to create strict boundaries of data ownership. The basic
function of namespaces is to separate different vocabularies of XML
elements that are structurally mixed together. Ensuring that XMPP-
compliant XML is namespace-aware enables any allowable XML to be
structurally mixed with any data element within XMPP. Rules for XML
namespace names and prefixes are defined in the following
subsections.
12.2.1. Streams Namespace
A streams namespace declaration is REQUIRED in all XML stream
headers. The name of the streams namespace MUST be
'http://etherx.jabber.org/streams'. The element names of the
<stream/> element and its <features/> and <error/> children MUST be
qualified by the streams namespace prefix in all instances. An
implementation SHOULD generate only the 'stream:' prefix for these
elements, and for historical reasons MAY accept only the 'stream:'
prefix.
Saint-Andre Expires July 30, 2007 [Page 60]
Internet-Draft XMPP Core January 2007
12.2.2. Default Namespace
A default namespace declaration is REQUIRED and is used in all XML
streams in order to define the allowable first-level children of the
root stream element. This namespace declaration MUST be the same for
the initial stream and the response stream so that both streams are
qualified consistently. The default namespace declaration applies to
the stream and all stanzas sent within a stream (unless explicitly
qualified by another namespace, or by the prefix of the streams
namespace or the dialback namespace).
A server implementation MUST support the following two default
namespaces (for historical reasons, some implementations MAY support
only these two default namespaces):
o jabber:client -- this default namespace is declared when the
stream is used for communications between a client and a server
o jabber:server -- this default namespace is declared when the
stream is used for communications between two servers
A client implementation MUST support the 'jabber:client' default
namespace, and for historical reasons MAY support only that default
namespace.
An implementation MUST NOT generate namespace prefixes for elements
qualified by the default namespace if the default namespace is
'jabber:client' or 'jabber:server'. An implementation SHOULD NOT
generate namespace prefixes for elements qualified by content (as
opposed to stream) namespaces other than 'jabber:client' and 'jabber:
server'.
Note: The 'jabber:client' and 'jabber:server' namespaces are nearly
identical but are used in different contexts (client-to-server
communications for 'jabber:client' and server-to-server
communications for 'jabber:server'). The only difference between the
two is that the 'to' and 'from' attributes are OPTIONAL on stanzas
sent within 'jabber:client', whereas they are REQUIRED on stanzas
sent within 'jabber:server'. If a compliant implementation accepts a
stream that is qualified by the 'jabber:client' or 'jabber:server'
namespace, it MUST support the common attributes (Section 9.1) and
basic semantics (Section 9.2) of all three core stanza kinds
(message, presence, and IQ).
12.2.3. Dialback Namespace
A dialback namespace declaration is REQUIRED for all elements used in
server dialback (Appendix C). The name of the dialback namespace
MUST be 'jabber:server:dialback'. All elements qualified by this
Saint-Andre Expires July 30, 2007 [Page 61]
Internet-Draft XMPP Core January 2007
namespace MUST be prefixed. An implementation SHOULD generate only
the 'db:' prefix for such elements and MAY accept only the 'db:'
prefix.
12.3. Validation
A server is not responsible for validating the XML elements forwarded
to a client or another server; an implementation MAY choose to
provide only validated data elements but this is OPTIONAL (although
an implementation MUST NOT accept XML that is not well-formed).
Clients SHOULD NOT rely on the ability to send data which does not
conform to the schemas, and SHOULD ignore any non-conformant elements
or attributes on the incoming XML stream. Validation of XML streams
and stanzas is OPTIONAL, and schemas are included herein for
descriptive purposes only.
12.4. Inclusion of Text Declaration
Implementations SHOULD send a text declaration before sending a
stream header. Applications MUST follow the rules in [XML] regarding
the circumstances under which a text declaration is included.
12.5. Character Encoding
Implementations MUST support the [UTF-8] transformation of Universal
Character Set ([UCS2]) characters, as required by [CHARSET].
Implementations MUST NOT attempt to use any other encoding.
12.6. White Space
Except where explicitly disallowed (i.e., during TLS negotiation
(Section 6) and SASL negotiation [SASL]), either entity MAY send
white space characters (matching production [3] content of [XML])
within the root stream element as separators between XML stanzas or
between any other first-level elements sent over the stream; one
common use for sending such white space characters is to check the
viability of the underlying TCP connection after a period of
inactivity.
13. Compliance Requirements
This section summarizes the specific aspects of the Extensible
Messaging and Presence Protocol that MUST be supported by servers and
clients in order to be considered compliant implementations, as well
as additional protocol aspects that SHOULD be supported. For
compliance purposes, we draw a distinction between core protocols
(which MUST be supported by any server or client, regardless of the
Saint-Andre Expires July 30, 2007 [Page 62]
Internet-Draft XMPP Core January 2007
specific application) and instant messaging and presence protocols
(which MUST be supported only by instant messaging and presence
applications built on top of the core protocols). Compliance
requirements that apply to all servers and clients are specified in
this section; compliance requirements for instant messaging and
presence applications are specified in the corresponding section of
[XMPP-IM].
13.1. Servers
In addition to all defined requirements with regard to security, XML
usage, and internationalization, a server MUST support the following
core protocols in order to be considered compliant:
o Application of the [NAMEPREP], Nodeprep (Appendix A), and
Resourceprep (Appendix B) profiles of [STRINGPREP] to addresses
(including ensuring that domain identifiers are internationalized
domain names as defined in [IDNA])
o XML streams (Section 5), including TLS negotiation (Section 6),
SASL negotiation (Section 7), and Resource Binding (Section 8)
o The basic semantics of the three defined stanza kinds (i.e.,
<message/>, <presence/>, and <iq/>) as specified in stanza
semantics (Section 9.2)
o Generation (and, where appropriate, handling) of error syntax and
semantics related to streams, TLS, SASL, and XML stanzas
In addition, for historical reasons a server SHOULD support the
following core protocol:
o Server dialback (Appendix C)
13.2. Clients
A client MUST support the following core protocols in order to be
considered compliant:
o XML streams (Section 5), including TLS negotiation (Section 6),
SASL negotiation (Section 7), and Resource Binding (Section 8)
o The basic semantics of the three defined stanza kinds (i.e.,
<message/>, <presence/>, and <iq/>) as specified in stanza
semantics (Section 9.2)
o Handling (and, where appropriate, generation) of error syntax and
semantics related to streams, TLS, SASL, and XML stanzas
In addition, a client SHOULD support the following core protocols:
Saint-Andre Expires July 30, 2007 [Page 63]
Internet-Draft XMPP Core January 2007
o Generation of addresses to which the [NAMEPREP], Nodeprep
(Appendix A), and Resourceprep (Appendix B) profiles of
[STRINGPREP] can be applied without failing
14. Internationalization Considerations
XML streams MUST be encoded in UTF-8 as specified under Character
Encoding (Section 12.5). As specified under Stream Attributes
(Section 5.3), an XML stream SHOULD include an 'xml:lang' attribute
specifying the default language for any XML character data sent over
the stream that is intended to be presented to a human user. As
specified under xml:lang (Section 9.1.5), an XML stanza SHOULD
include an 'xml:lang' attribute if the stanza contains XML character
data that is intended to be presented to a human user. A server
SHOULD apply the default 'xml:lang' attribute to stanzas it routes or
delivers on behalf of connected entities, and MUST NOT modify or
delete 'xml:lang' attributes stanzas it receives from other entities.
15. Security Considerations
15.1. High Security
For the purposes of XMPP communications (client-to-server and server-
to-server), the term "high security" refers to the use of security
technologies that provide both mutual authentication and integrity-
checking; in particular, when using certificate-based authentication
to provide high security, a chain-of-trust SHOULD be established out-
of-band, although a shared certificate authority signing certificates
could allow a previously unknown certificate to establish trust in-
band. See Section 15.2 below regarding certificate validation
procedures.
Implementations MUST support high security. Service provisioning
SHOULD use high security, subject to local security policies.
15.2. Certificate Validation
When an XMPP peer communicates with another peer securely, it MUST
validate the peer's certificate. There are three possible cases:
Case #1: The peer contains an End Entity certificate which appears
to be certified by a chain of certificates terminating in a trust
anchor (as described in Section 6.1 of [X509]).
Saint-Andre Expires July 30, 2007 [Page 64]
Internet-Draft XMPP Core January 2007
Case #2: The peer certificate is certified by a Certificate
Authority not known to the validating peer.
Case #3: The peer certificate is self-signed.
In Case #1, the validating peer MUST do one of two things:
1. Verify the peer certificate according to the rules of [X509].
The certificate SHOULD then be checked against the expected
identity of the peer following the rules described in [HTTP-TLS],
except that if present an [ASN.1] Object Identifier of "id-on-
xmppAddr" (represented as a UTF8String in an otherName entity
inside the subjectAltName) MUST be used as the identity. If one
of these checks fails, user-oriented clients MUST either notify
the user (clients MAY give the user the opportunity to continue
with the connection in any case) or terminate the connection with
a bad certificate error. Automated clients SHOULD terminate the
connection (with a bad certificate error) and log the error to an
appropriate audit log. Automated clients MAY provide a
configuration setting that disables this check, but MUST provide
a setting that enables it.
2. The peer SHOULD show the certificate to a user for approval,
including the entire certificate chain. The peer MUST cache the
certificate (or some non-forgeable representation such as a
hash). In future connections, the peer MUST verify that the same
certificate was presented and MUST notify the user if it has
changed.
In Case #2 and Case #3, implementations SHOULD act as in (2) above.
15.3. Client-to-Server Communications
A compliant client implementation MUST support both TLS and SASL for
connections to a server.
The TLS protocol for encrypting XML streams (defined under TLS
negotiation (Section 6)) provides a reliable mechanism for helping to
ensure the confidentiality and data integrity of data exchanged
between two entities.
The SASL protocol for authenticating XML streams (defined under SASL
negotiation (Section 7)) provides a reliable mechanism for validating
that a client connecting to a server is who it claims to be.
Client-to-server communications MUST NOT proceed until the DNS
hostname asserted by the server has been resolved as specified under
TCP Binding (Section 4). If there is a mismatch between the hostname
to which a client attempted to connect (e.g., "example.net") and the
hostname to which the client actually connects (e.g.,
"im.example.net"), the client MUST warn a human user about the
Saint-Andre Expires July 30, 2007 [Page 65]
Internet-Draft XMPP Core January 2007
mismatch and the human user MUST approve the connection before the
client proceeds; however, the client MAY allow the user to add the
presented hostname to a configured set of accepted hostnames in order
to expedite future connections.
The IP address and method of access of clients MUST NOT be made
public by a server, nor are any connections other than the original
server connection required. This helps to protect the client's
server from direct attack or identification by third parties.
15.4. Server-to-Server Communications
A compliant server implementation MUST support both TLS and SASL for
inter-domain communications. For historical reasons, a compliant
implementation SHOULD also support Server Dialback (Appendix C).
Because service provisioning is a matter of policy, it is OPTIONAL
for any given domain to communicate with other domains, and server-
to-server communications MAY be disabled by the administrator of any
given deployment. If a particular domain enables inter-domain
communications, it SHOULD enable high security.
Administrators may want to require use of SASL for server-to-server
communications in order to ensure both authentication and
confidentiality (e.g., on an organization's private network).
Compliant implementations SHOULD support SASL for this purpose.
Server-to-server communications MUST NOT proceed until the DNS
hostnames asserted by both servers have been resolved as specified
under TCP Binding (Section 4).
Server dialback helps protect against domain spoofing, thus making it
more difficult to spoof XML stanzas. It is not a mechanism for
authenticating, securing, or encrypting streams between servers as is
done via SASL and TLS, and results in weak verification of server
identities only. Furthermore, it is susceptible to DNS poisoning
attacks unless [DNSSEC] is used, and even if the DNS information is
accurate, dialback cannot protect from attacks where the attacker is
capable of hijacking the IP address of the remote domain. Domains
requiring robust security SHOULD use TLS and SASL. If SASL is used
for server-to-server authentication, dialback SHOULD NOT be used
since it is unnecessary.
15.5. Order of Layers
The order of layers in which protocols MUST be stacked is as follows:
Saint-Andre Expires July 30, 2007 [Page 66]
Internet-Draft XMPP Core January 2007
1. TCP
2. TLS
3. SASL
4. XMPP
The rationale for this order is that [TCP] is the base connection
layer used by all of the protocols stacked on top of TCP, [TLS] is
often provided at the operating system layer, [SASL] is often
provided at the application layer, and XMPP is the application
itself.
15.6. Lack of SASL Channel Binding to TLS
The SASL framework does not provide a mechanism to bind SASL
authentication to a security layer providing confidentiality and
integrity protection that was negotiated at a lower layer. This lack
of a "channel binding" prevents SASL from being able to verify that
the source and destination end points to which the lower layer's
security is bound are equivalent to the end points that SASL is
authenticating. If the end points are not identical, the lower
layer's security cannot be trusted to protect data transmitted
between the SASL authenticated entities. In such a situation, a SASL
security layer should be negotiated that effectively ignores the
presence of the lower layer security.
15.7. Mandatory-to-Implement Technologies
At a minimum, all implementations MUST support the following
mechanisms:
for authentication: the SASL [DIGEST-MD5] mechanism
for confidentiality: TLS (using the TLS_RSA_WITH_3DES_EDE_CBC_SHA
cipher)
for both: TLS plus SASL PLAIN for client-to-server connections and
TLS plus SASL EXTERNAL for server-to-server connections (using the
TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher supporting peer certificates)
Naturally, implementations MAY support other ciphers with TLS and MAY
support other SASL mechanisms.
15.8. Firewalls
Communications using XMPP normally occur over [TCP] connections on
port 5222 (client-to-server) or port 5269 (server-to-server), as
registered with the IANA (see IANA Considerations (Section 16)). Use
of these well-known ports allows administrators to easily enable or
disable XMPP activity through existing and commonly-deployed
firewalls.
Saint-Andre Expires July 30, 2007 [Page 67]
Internet-Draft XMPP Core January 2007
15.9. Use of base64 in SASL
Both the client and the server MUST verify any [BASE64] data received
during SASL negotiation. An implementation MUST reject (not ignore)
any characters that are not explicitly allowed by the base64
alphabet; this helps to guard against creation of a covert channel
that could be used to "leak" information. An implementation MUST NOT
break on invalid input and MUST reject any sequence of base64
characters containing the pad ('=') character if that character is
included as something other than the last character of the data
(e.g., "=AAA" or "BBBB=CCC"); this helps to guard against buffer
overflow attacks and other attacks on the implementation. Base 64
encoding visually hides otherwise easily recognized information, such
as passwords, but does not provide any computational confidentiality.
Base 64 encoding MUST follow the definition in Section 3 of [BASE64].
15.10. Stringprep Profiles
XMPP makes use of the [NAMEPREP] profile of [STRINGPREP] for
processing of domain identifiers; for security considerations related
to Nameprep, refer to the appropriate section of [NAMEPREP].
In addition, XMPP defines two profiles of [STRINGPREP]: Nodeprep
(Appendix A) for node identifiers and Resourceprep (Appendix B) for
resource identifiers.
The Unicode and ISO/IEC 10646 repertoires have many characters that
look similar. In many cases, users of security protocols might do
visual matching, such as when comparing the names of trusted third
parties. Because it is impossible to map similar-looking characters
without a great deal of context, such as knowing the fonts used,
stringprep does nothing to map similar-looking characters together,
nor to prohibit some characters because they look like others.
A node identifier can be employed as one part of an entity's address
in XMPP. One common usage is as the username of an instant messaging
user; another is as the name of a multi-user chat room; many other
kinds of entities could use node identifiers as part of their
addresses. The security of such services could be compromised based
on different interpretations of the internationalized node
identifier; for example, a user entering a single internationalized
node identifier could access another user's account information, or a
user could gain access to an otherwise restricted chat room or
service.
A resource identifier can be employed as one part of an entity's
address in XMPP. One common usage is as the name for an instant
messaging user's connected resource; another is as the nickname of a
Saint-Andre Expires July 30, 2007 [Page 68]
Internet-Draft XMPP Core January 2007
user in a multi-user chat room; many other kinds of entities could
use resource identifiers as part of their addresses. The security of
such services could be compromised based on different interpretations
of the internationalized resource identifier; for example, a user
could attempt to initiate multiple connections with the same name, or
a user could send a message to someone other than the intended
recipient in a multi-user chat room.
16. IANA Considerations
16.1. XML Namespace Name for TLS Data
A URN sub-namespace for TLS-related data in the Extensible Messaging
and Presence Protocol (XMPP) is defined as follows. (This namespace
name adheres to the format defined in The IETF XML Registry
[XML-REG].)
URI: urn:ietf:params:xml:ns:xmpp-tls
Specification: RFC 3920
Description: This is the XML namespace name for TLS-related data in
the Extensible Messaging and Presence Protocol (XMPP) as defined
by RFC 3920.
Registrant Contact: IETF, XMPP Working Group, <xmppwg@xmpp.org>
16.2. XML Namespace Name for SASL Data
A URN sub-namespace for SASL-related data in the Extensible Messaging
and Presence Protocol (XMPP) is defined as follows. (This namespace
name adheres to the format defined in [XML-REG].)
URI: urn:ietf:params:xml:ns:xmpp-sasl
Specification: RFC 3920
Description: This is the XML namespace name for SASL-related data in
the Extensible Messaging and Presence Protocol (XMPP) as defined
by RFC 3920.
Registrant Contact: IETF, XMPP Working Group, <xmppwg@xmpp.org>
16.3. XML Namespace Name for Stream Errors
A URN sub-namespace for stream-related error data in the Extensible
Messaging and Presence Protocol (XMPP) is defined as follows. (This
namespace name adheres to the format defined in [XML-REG].)
Saint-Andre Expires July 30, 2007 [Page 69]
Internet-Draft XMPP Core January 2007
URI: urn:ietf:params:xml:ns:xmpp-streams
Specification: RFC 3920
Description: This is the XML namespace name for stream-related error
data in the Extensible Messaging and Presence Protocol (XMPP) as
defined by RFC 3920.
Registrant Contact: IETF, XMPP Working Group, <xmppwg@xmpp.org>
16.4. XML Namespace Name for Resource Binding
A URN sub-namespace for resource binding in the Extensible Messaging
and Presence Protocol (XMPP) is defined as follows. (This namespace
name adheres to the format defined in [XML-REG].)
URI: urn:ietf:params:xml:ns:xmpp-bind
Specification: RFC 3920
Description: This is the XML namespace name for resource binding in
the Extensible Messaging and Presence Protocol (XMPP) as defined
by RFC 3920.
Registrant Contact: IETF, XMPP Working Group, <xmppwg@xmpp.org>
16.5. XML Namespace Name for Stanza Errors
A URN sub-namespace for stanza-related error data in the Extensible
Messaging and Presence Protocol (XMPP) is defined as follows. (This
namespace name adheres to the format defined in [XML-REG].)
URI: urn:ietf:params:xml:ns:xmpp-stanzas
Specification: RFC 3920
Description: This is the XML namespace name for stanza-related error
data in the Extensible Messaging and Presence Protocol (XMPP) as
defined by RFC 3920.
Registrant Contact: IETF, XMPP Working Group, <xmppwg@xmpp.org>
16.6. Nodeprep Profile of Stringprep
The Nodeprep profile of stringprep is defined under Nodeprep
(Appendix A). The IANA has registered Nodeprep in the stringprep
profile registry.
Name of this profile:
Nodeprep
RFC in which the profile is defined:
Saint-Andre Expires July 30, 2007 [Page 70]
Internet-Draft XMPP Core January 2007
RFC 3920
Indicator whether or not this is the newest version of the profile:
This is the first version of Nodeprep
16.7. Resourceprep Profile of Stringprep
The Resourceprep profile of stringprep is defined under Resourceprep
(Appendix B). The IANA has registered Resourceprep in the stringprep
profile registry.
Name of this profile:
Resourceprep
RFC in which the profile is defined:
RFC 3920
Indicator whether or not this is the newest version of the profile:
This is the first version of Resourceprep
16.8. GSSAPI Service Name
The IANA has registered "xmpp" as a GSSAPI [GSS-API] service name, as
defined under SASL Definition (Section 7.3).
16.9. Port Numbers
The IANA has registered "xmpp-client" and "xmpp-server" as keywords
for [TCP] ports 5222 and 5269 respectively.
These ports SHOULD be used for client-to-server and server-to-server
communications respectively, but their use is OPTIONAL.
17. References
17.1. Normative References
[ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 3548, July 2003.
Saint-Andre Expires July 30, 2007 [Page 71]
Internet-Draft XMPP Core January 2007
[CHARSET] Alvestrand, H., "IETF Policy on Character Sets and
Languages", BCP 18, RFC 2277, January 1998.
[DIGEST-MD5]
Leach, P. and C. Newman, "Using Digest Authentication as a
SASL Mechanism", RFC 2831, May 2000.
[DNS-SRV] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[DNS] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[GSS-API] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000.
[HMAC] National Institute of Standards and Technology, "The
Keyed-Hash Message Authentication Code (HMAC)", FIPS PUB
198, March 2002, <http://csrc.nist.gov/publications/fips/
fips198/fips-198a.pdf>.
[HTTP-TLS]
Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[IDNA] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
[IPv6] Hinden, R. and S. Deering, "Internet Protocol Version 6
(IPv6) Addressing Architecture", RFC 3513, April 2003.
[LANGTAGS]
Alvestrand, H., "Tags for the Identification of
Languages", BCP 47, RFC 3066, January 2001.
[NAMEPREP]
Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
Profile for Internationalized Domain Names (IDN)",
RFC 3491, March 2003.
[RANDOM] Eastlake, D., Crocker, S., and J. Schiller, "Randomness
Recommendations for Security", RFC 1750, December 1994.
[SASL] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006.
[SHA] National Institute of Standards and Technology, "Secure
Saint-Andre Expires July 30, 2007 [Page 72]
Internet-Draft XMPP Core January 2007
Hash Standard", FIPS PUB 180-2, August 2002, <http://
csrc.nist.gov/publications/fips/fips180-2/
fips180-2withchangenotice.pdf>.
[STRINGPREP]
Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", RFC 3454,
December 2002.
[TCP] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[TERMS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[UCS2] International Organization for Standardization,
"Information Technology - Universal Multiple-octet coded
Character Set (UCS) - Amendment 2: UCS Transformation
Format 8 (UTF-8)", ISO Standard 10646-1 Addendum 2,
October 1996.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[X509] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002.
[XML] Bray, T., Paoli, J., Sperberg-McQueen, C., and E. Maler,
"Extensible Markup Language (XML) 1.0 (2nd ed)", W3C REC-
xml, October 2000, <http://www.w3.org/TR/REC-xml>.
[XML-NAMES]
Bray, T., Hollander, D., and A. Layman, "Namespaces in
XML", W3C REC-xml-names, January 1999,
<http://www.w3.org/TR/REC-xml-names>.
17.2. Informative References
[ACAP] Newman, C. and J. Myers, "ACAP -- Application
Configuration Access Protocol", RFC 2244, November 1997.
[ASN.1] CCITT, "Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1)", 1988.
Saint-Andre Expires July 30, 2007 [Page 73]
Internet-Draft XMPP Core January 2007
[DNSSEC] Eastlake, D., "Domain Name System Security Extensions",
RFC 2535, March 1999.
[DNS-TXT] Rosenbaum, R., "Using the Domain Name System To Store
Arbitrary String Attributes", RFC 1464, May 1993.
[HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[IMAP] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003.
[IMP-REQS]
Day, M., Aggarwal, S., and J. Vincent, "Instant Messaging
/ Presence Protocol Requirements", RFC 2779,
February 2000.
[IRI] Duerst, M. and M. Suignard, "Internationalized Resource
Identifiers (IRIs)", RFC 3987, January 2005.
[LINKLOCAL]
Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927,
May 2005.
[MAILBOXES]
Crocker, D., "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND
FUNCTIONS", RFC 2142, May 1997.
[POP3] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
April 2001.
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[URN-OID] Mealling, M., "A URN Namespace of Object Identifiers",
RFC 3061, February 2001.
[USINGTLS]
Newman, C., "Using TLS with IMAP, POP3 and ACAP",
RFC 2595, June 1999.
[XEP-0045]
Saint-Andre Expires July 30, 2007 [Page 74]
Internet-Draft XMPP Core January 2007
Saint-Andre, P., "Multi-User Chat", XSF XEP 0045,
September 2006.
[XEP-0071]
Saint-Andre, P., "XHTML-IM", XSF XEP 0071, January 2006.
[XEP-0077]
Saint-Andre, P., "In-Band Registration", XSF XEP 0077,
January 2006.
[XEP-0086]
Norris, R. and P. Saint-Andre, "Error Condition Mappings",
XSF XEP 0086, February 2004.
[XEP-0124]
Paterson, I., Smith, D., and P. Saint-Andre, "HTTP
Binding", XSF XEP 0124, April 2006.
[XEP-0156]
Hildebrand, J. and P. Saint-Andre, "A DNS TXT Resource
Record Format for XMPP Connection Methods", XSF XEP 0156,
May 2005.
[XEP-0157]
Saint-Andre, P. and J. Konieczny, "Contact Addresses for
XMPP Services", XSF XEP 0157, January 2007.
[XEP-0174]
Saint-Andre, P., "Link-Local Messaging", XSF XEP 0174,
December 2006.
[XEP-0175]
Saint-Andre, P., "Best Practices for Use of SASL
ANONYMOUS", XSF XEP 0175, September 2006.
[XEP-0178]
Saint-Andre, P. and P. Millard, "Best Practices for Use of
SASL EXTERNAL", XSF XEP 0178, January 2007.
[XML-REG] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004.
[XMPP-IM] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Instant Messaging and Presence",
RFC 3921, October 2004.
[XMPP-URI]
Saint-Andre, P., "Internationalized Resource Identifiers
Saint-Andre Expires July 30, 2007 [Page 75]
Internet-Draft XMPP Core January 2007
(IRIs) and Uniform Resource Identifiers (URIs) for the
Extensible Messaging and Presence Protocol (XMPP)",
RFC 4622, August 2006.
Appendix A. Nodeprep
A.1. Introduction
This appendix defines the "Nodeprep" profile of [STRINGPREP]. As
such, it specifies processing rules that will enable users to enter
internationalized node identifiers in the Extensible Messaging and
Presence Protocol (XMPP) and have the highest chance of getting the
content of the strings correct. (An XMPP node identifier is the
optional portion of an XMPP address that precedes a domain identifier
and the '@' separator; it is often but not exclusively associated
with an instant messaging username.) These processing rules are
intended only for XMPP node identifiers and are not intended for
arbitrary text or any other aspect of an XMPP address.
This profile defines the following, as required by [STRINGPREP]:
o The intended applicability of the profile: internationalized node
identifiers within XMPP
o The character repertoire that is the input and output to
stringprep: Unicode 3.2, specified in Section 2 of this Appendix
o The mappings used: specified in Section 3
o The Unicode normalization used: specified in Section 4
o The characters that are prohibited as output: specified in Section
5
o Bidirectional character handling: specified in Section 6
A.2. Character Repertoire
This profile uses Unicode 3.2 with the list of unassigned code points
being Table A.1, both defined in Appendix A of [STRINGPREP].
A.3. Mapping
This profile specifies mapping using the following tables from
[STRINGPREP]:
Table B.1
Table B.2
Saint-Andre Expires July 30, 2007 [Page 76]
Internet-Draft XMPP Core January 2007
A.4. Normalization
This profile specifies the use of Unicode normalization form KC, as
described in [STRINGPREP].
A.5. Prohibited Output
This profile specifies the prohibition of using the following tables
from [STRINGPREP].
Table C.1.1
Table C.1.2
Table C.2.1
Table C.2.2
Table C.3
Table C.4
Table C.5
Table C.6
Table C.7
Table C.8
Table C.9
In addition, the following Unicode characters are also prohibited:
#x22 (")
#x26 (&)
#x27 (')
#x2F (/)
#x3A (:)
#x3C (<)
#x3E (>)
#x40 (@)
A.6. Bidirectional Characters
This profile specifies checking bidirectional strings, as described
in Section 6 of [STRINGPREP].
Appendix B. Resourceprep
B.1. Introduction
This appendix defines the "Resourceprep" profile of [STRINGPREP]. As
such, it specifies processing rules that will enable users to enter
internationalized resource identifiers in the Extensible Messaging
and Presence Protocol (XMPP) and have the highest chance of getting
the content of the strings correct. (An XMPP resource identifier is
Saint-Andre Expires July 30, 2007 [Page 77]
Internet-Draft XMPP Core January 2007
the optional portion of an XMPP address that follows a domain
identifier and the '/' separator.) These processing rules are
intended only for XMPP resource identifiers and are not intended for
arbitrary text or any other aspect of an XMPP address.
This profile defines the following, as required by [STRINGPREP]:
o The intended applicability of the profile: internationalized
resource identifiers within XMPP
o The character repertoire that is the input and output to
stringprep: Unicode 3.2, specified in Section 2 of this Appendix
o The mappings used: specified in Section 3
o The Unicode normalization used: specified in Section 4
o The characters that are prohibited as output: specified in Section
5
o Bidirectional character handling: specified in Section 6
B.2. Character Repertoire
This profile uses Unicode 3.2 with the list of unassigned code points
being Table A.1, both defined in Appendix A of [STRINGPREP].
B.3. Mapping
This profile specifies mapping using the following tables from
[STRINGPREP]:
Table B.1
B.4. Normalization
This profile specifies the use of Unicode normalization form KC, as
described in [STRINGPREP].
B.5. Prohibited Output
This profile specifies the prohibition of using the following tables
from [STRINGPREP].
Table C.1.2
Table C.2.1
Table C.2.2
Table C.3
Table C.4
Saint-Andre Expires July 30, 2007 [Page 78]
Internet-Draft XMPP Core January 2007
Table C.5
Table C.6
Table C.7
Table C.8
Table C.9
B.6. Bidirectional Characters
This profile specifies checking bidirectional strings, as described
in Section 6 of [STRINGPREP].
Appendix C. Server Dialback
C.1. Overview
Server dialback is a reverse DNS lookup method whose results are
communicated over XML streams, thus making it more difficult to spoof
XMPP server domains and XML stanzas sent over XML streams between
servers. Server dialback is not a security mechanism, and results
only in weak verification of server identities (see Server-to-Server
Communications (Section 15.4) regarding this method's security
characteristics). Domains requiring robust security SHOULD use TLS
and SASL; see Server-to-Server Communications (Section 15.4) for
details. If SASL is used for server-to-server authentication,
dialback SHOULD NOT be used since it is unnecessary. Documentation
of dialback is included mainly for the sake of backward-compatibility
with existing implementations and deployments. However, depending on
local policies, a service may wish to use dialback to provide weak
identity verification in cases where SASL negotiation would not
result in strong authentication (e.g., because the certificate
presented by the peer service during TLS negotiation is self-signed
and thus provides even weaker identity verification than DNS).
The server dialback method is made possible by the existence of the
Domain Name System (DNS), since one server can (normally) discover
the authoritative server for a given domain. Because dialback
depends on DNS, inter-domain communications MUST NOT proceed until
the Domain Name System (DNS) hostnames asserted by the servers have
been resolved (see Server-to-Server Communications (Section 15.4)).
Server dialback is uni-directional, and results in weak identity
verification for one stream in one direction. Because server
dialback is not an authentication mechanism, mutual authentication is
not possible via dialback. Therefore, server dialback MUST be
completed in each direction in order to enable bi-directional
communications between two domains.
Saint-Andre Expires July 30, 2007 [Page 79]
Internet-Draft XMPP Core January 2007
The method for generating and verifying the keys used in server
dialback MUST take into account the hostnames being used, the stream
ID generated by the receiving server, and a secret known by the
authoritative server's network; see Appendix C.5 for the recommended
algorithm.
Any error that occurs during dialback negotiation MUST be considered
a stream error, resulting in termination of the stream and of the
underlying TCP connection. The possible error conditions are
specified in the protocol description below.
The following terminology applies:
o ORIGINATING SERVER -- the server that is attempting to establish a
connection between two domains.
o RECEIVING SERVER -- the server that is trying to authenticate that
the Originating Server represents the domain which it claims to
be.
o AUTHORITATIVE SERVER -- the server that answers to the DNS
hostname asserted by the Originating Server; for basic
environments this will be the Originating Server, but it could be
a separate machine in the Originating Server's network.
C.2. Order of Events
The following is a brief summary of the order of events in dialback:
1. The Originating Server establishes a connection to the Receiving
Server.
2. The Originating Server sends a 'key' value over the connection to
the Receiving Server.
3. The Receiving Server establishes a connection to the
Authoritative Server.
4. The Receiving Server sends the same 'key' value to the
Authoritative Server.
5. The Authoritative Server replies that key is valid or invalid.
6. The Receiving Server informs the Originating Server whether it is
authenticated or not.
We can represent this flow of events graphically as follows:
Saint-Andre Expires July 30, 2007 [Page 80]
Internet-Draft XMPP Core January 2007
Originating Receiving
Server Server
----------- ---------
| |
| establish connection |
| ----------------------> |
| |
| send stream header |
| ----------------------> |
| |
| send stream header |
| <---------------------- |
| | Authoritative
| send dialback key | Server
| ----------------------> | -------------
| | |
| establish connection |
| ----------------------> |
| |
| send stream header |
| ----------------------> |
| |
| send stream header |
| <---------------------- |
| |
| send verify request |
| ----------------------> |
| |
| send verify response |
| <---------------------- |
|
| report dialback result |
| <---------------------- |
| |
C.3. Protocol
This section describes the detailed protocol interaction between the
Originating Server, the Receiving Server, and the Authoritative
Server.
This section uses the following domain names, IP addresses, stream
IDs, and shared secret in the examples:
o The Originating Server is "example.org" (there is no IP address
associated with this domain since it is merely asserted by the
Originating Server).
Saint-Andre Expires July 30, 2007 [Page 81]
Internet-Draft XMPP Core January 2007
o The Receiving Server is "xmpp.example.com" and its IP address is
"192.0.2.0".
o The Authoritative Server is "example.org" and its IP address is
"192.0.2.1".
o The stream ID of the stream from the Originating Server to the
Receiving Server is "D60000229F".
o The shared secret known by the Authoritative Server's network is
"s3cr3tf0rd14lb4ck".
o The stream ID of the stream from the Receiving Server to the
Authoritative Server is "F92200006D".
To assist the reader, the following conventions are used to clarify
the flow of packets:
o "O2R:" -- packets sent from the Originating Server to the
Receiving Server.
o "R2O:" -- packets sent from the Receiving Server to the
Originating Server.
o "R2A:" -- packets sent from the Receiving Server to the
Authoritative Server.
o "A2R:" -- packets sent from the Authoritative Server to the
Receiving Server.
The flow of events is as follows:
1. The Originating Server (asserted to be "example.org") performs a
DNS lookup for the Receiving Server (in accordance with the
procedure described under Section 4) and establishes a TCP
connection to the Receiving Server at the IP address and port
discovered during the DNS lookup (here assumed to be "192.0.2.0"
and "5269").
2. The Originating Server sends a stream header to the Receiving
Server:
O2R: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.org'
to='xmpp.example.com'>
Note: The inclusion of the xmlns:db namespace declaration with
the name shown indicates to the Receiving Server that the
Originating Server supports server dialback. If any of the
namespace names provided by the Originating Server is incorrect,
then the Receiving Server MUST generate an <invalid-namespace/>
stream error condition and terminate both the XML stream and the
underlying TCP connection. If the value of the 'to' address
Saint-Andre Expires July 30, 2007 [Page 82]
Internet-Draft XMPP Core January 2007
provided by the Originating Server does not match a hostname
serviced by the Receiving Server, then the Receiving Server MUST
generate a <host-unknown/> stream error condition and terminate
both the XML stream and the underlying TCP connection.
3. The Receiving Server SHOULD send a stream header back to the
Originating Server over the same TCP connection, including a
unique ID for this interaction:
R2O: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
from='xmpp.example.com'
id='D60000229F'
to='example.org'>
Note: The Receiving Server SHOULD reply but MAY silently
terminate the XML stream and underlying TCP connection depending
on local security policies; however, if the Receiving Server
desires to proceed, it MUST send a stream header back to the
Originating Server. If any of the namespace names provided by
the Receiving Server is incorrect, then the Originating Server
MUST generate an <invalid-namespace/> stream error condition and
terminate both the XML stream and the underlying TCP connection.
If the value of the 'to' address provided by the Receiving
Server does not match a hostname serviced by the Originating
Server, then the Originating Server MUST generate a <host-
unknown/> stream error condition and terminate both the XML
stream and the underlying TCP connection.
4. The Receiving Server SHOULD also send stream features to the
Originating Server, including the dialback feature as described
under Appendix C.6:
R2O: <stream:features>
<dialback xmlns='urn:xmpp:features:dialback'>
<required/>
</dialback>
</stream:features>
5. The Originating Server MUST then send a dialback key to the
Receiving Server:
Saint-Andre Expires July 30, 2007 [Page 83]
Internet-Draft XMPP Core January 2007
O2R: <db:result
to='xmpp.example.com'
from='example.org'>
37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643
</db:result>
If the value of the 'to' address provided by the Originating
Server does not match a hostname serviced by the Receiving
Server, then the Receiving Server MUST generate a <host-
unknown/> stream error condition and terminate both the XML
stream and the underlying TCP connection. The key generated by
the Originating Server MUST be based in part on the value of the
ID provided by the Receiving Server in the previous step (here
"D60000229F"), and in part on a secret shared by the Originating
Server and the Authoritative Server (here "s3cr3tf0rd14lb4ck").
Any verifiable method MAY be used to generate the key; however,
the method specified under Appendix C.5 is RECOMMENDED. The key
is not examined by the Receiving Server, since the key is
validated by the Authoritative Server.
6. The Receiving Server performs a DNS lookup for the Authoritative
Server (in accordance with the procedure described under
Section 4) and establishes a TCP connection to the Authoritative
Server at the IP address and port discovered during the DNS
lookup (here assumed to be "192.0.2.1" and "5269").
7. The Receiving Server sends a stream header to the Authoritative
Server:
R2A: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
from='xmpp.example.com'
to='example.org'>
Note: If the namespace name is incorrect, then the Authoritative
Server MUST generate an <invalid-namespace/> stream error
condition and terminate both the XML stream and the underlying
TCP connection. If the value of the 'to' address provided by
the Receiving Server does not match a hostname serviced by the
Authoritative Server, then the Authoritative Server MUST
generate a <host-unknown/> stream error condition and terminate
both the XML stream and the underlying TCP connection.
8. The Authoritative Server sends the Receiving Server a stream
header:
Saint-Andre Expires July 30, 2007 [Page 84]
Internet-Draft XMPP Core January 2007
A2R: <stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.org'
id='F92200006D'
to='xmpp.example.com'>
Note: If any of the namespace names provided by the
Authoritative Server is incorrect, then the Receiving Server
MUST generate an <invalid-namespace/> stream error condition and
terminate both the XML stream and the underlying TCP connection
between it and the Authoritative Server. If the value of the
'to' address provided by the Authoritative Server does not match
a hostname serviced by the Receiving Server, then the Receiving
Server MUST generate a <host-unknown/> stream error condition
and terminate both the XML stream and the underlying TCP
connection. If a stream error occurs between the Receiving
Server and the Authoritative Server, then the Receiving Server
MUST not only terminate the XML stream and the underlying TCP
connection between it and the Authoritative Server but also
terminate the XML stream and the underlying TCP connection
between it and the Originating Server, generating a <remote-
connection-failed/> stream error for the latter stream.
9. The Receiving Server sends the Authoritative Server a request
for verification of a key:
R2A: <db:verify
from='xmpp.example.com'
to='example.org'
id='D60000229F'>
37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643
</db:verify>
Note: Passed here are the hostnames of the Receiving Server
('from') and the Originating Server ('to'), the original
identifier from the Receiving Server's stream header to the
Originating Server in Step 3, and the key that the Originating
Server sent to the Receiving Server in Step 5. Based on this
information, as well as shared secret information within the
Authoritative Server's network, the Authoritative Server
determines whether the key is valid or invalid. If the value of
the 'to' address does not match a hostname serviced by the
Authoritative Server, then the Authoritative Server MUST
generate a <host-unknown/> stream error condition and terminate
both the XML stream and the underlying TCP connection. If the
value of the 'from' address does not match the hostname sent by
the Receiving Server in the 'from' address of the stream header
Saint-Andre Expires July 30, 2007 [Page 85]
Internet-Draft XMPP Core January 2007
it sent to the Authoritative Server in Step 7, then the
Authoritative Server MUST generate an <invalid-from/> stream
error condition and terminate both the XML stream and the
underlying TCP connection.
10. The Authoritative Server determines whether the key was valid or
invalid and informs the Receiving Server of its determination:
A2R: <db:verify
from='example.org'
to='xmpp.example.com'
id='D60000229F'
type='valid'/>
or
A2R: <db:verify
from='example.org'
to='xmpp.example.com'
id='D60000229F'
type='invalid'/>
Note: If the ID does not match that provided by the Receiving
Server in Step 3, then the Receiving Server MUST generate an
<invalid-id/> stream error condition and terminate both the XML
stream and the underlying TCP connection. If the value of the
'to' address does not match a hostname serviced by the Receiving
Server, then the Receiving Server MUST generate a <host-
unknown/> stream error condition and terminate both the XML
stream and the underlying TCP connection. If the value of the
'from' address does not match the hostname represented by the
Originating Server in the 'from' address of the stream header it
sent to the Receiving Server in Step 2, then the Receiving
Server MUST generate an <invalid-from/> stream error condition
and terminate both the XML stream and the underlying TCP
connection. After returning the verification to the Receiving
Server, the Authoritative Server SHOULD terminate the stream
between them and the underlying TCP connection.
11. The Receiving Server informs the Originating Server of the
result:
R2O: <db:result
from='xmpp.example.com'
to='example.org'
id='D60000229F'
type='valid'/>
Note: At this point, the connection from the Originating Server
to the Receiving Server has either been validated or reported as
Saint-Andre Expires July 30, 2007 [Page 86]
Internet-Draft XMPP Core January 2007
invalid. If the connection is invalid, then the Receiving
Server MUST terminate both the XML stream and the underlying TCP
connection between itself and the Originating Server. If the
connection is valid, the Receiving Server has verified the
identity of the Originating Server; as a result, the Originating
Server may now send XML stanzas to the Receiving Server over the
validated connection (i.e., over the "initial stream" from the
Originating Server to the Receiving Server).
Until the initial stream has been validated, the Receiving Server
MUST silently drop all XML stanzas sent by the Originating Server to
the Receiving Server.
After successful dialback negotiation, the Receiving Server MUST
verify that all XML stanzas received from the Originating Server
include a 'from' attribute and a 'to' attribute; if a stanza does not
meet this restriction, the Receiving Server MUST generate an
<improper-addressing/> stream error condition and terminate both the
XML stream and the underlying TCP connection. Furthermore, the
Receiving Server MUST verify that the 'from' attribute of stanzas
received from the Originating Server includes a domain name that has
been validated for the stream; if a stanza does not meet this
restriction, the Receiving Server MUST generate an <invalid-from/>
stream error condition and terminate both the XML stream and the
underlying TCP connection. Both of these checks help to prevent
spoofing related to particular stanzas.
As mentioned, server dialback results in weak identity verification
in one direction only (in the foregoing text, verification of the
Originating Server by the Receiving Server). In order to proceed
with bi-directional communication so that the Receiving Server may
sent XML stanzas to the Originating Server, the Receiving Server MUST
now also initiate a dialback negotiation with the Originating Server.
C.4. Reuse of Negotiated Connections
After the Receiving Server has validated the connection from the
Originating Server, the Originating Server may wish to reuse that
connection for validation of additional domains. One common
motivation for such reuse is the existence of additional services
associated with the Originating Server but hosted at subdomains of
the Originating Server (the use of subdomains helps to ensure proper
routing of XML stanzas to the hosted services). For example, the
"example.org" XMPP server may host a groupchat service at
"chat.example.org". In order to accept XML stanzas from rooms at
"chat.example.org" intended for addresses at "xmpp.example.com", the
"xmpp.example.com" will need to validate the "chat.example.org"
domain (just as it already did for the "example.org" domain). Thus
Saint-Andre Expires July 30, 2007 [Page 87]
Internet-Draft XMPP Core January 2007
the "example.org" server would now initiate a dialback negotiation
with "xmpp.example.com" but specify the Originating Server as
"chat.example.org". Several optimizations are possible:
o Because the "example.org" server already has a validated
connection open to the Receiving Server ("xmpp.example.com"), it
MAY send a <db:result/> element with the key to be validated for
the new Originating Server ("chat.example.org") over the XML
stream that has already been negotiated, rather than opening a new
TCP connection and XML stream. The Receiving Server SHOULD accept
this element rather than returning an error to the Originating
Server over the previously negotiated connection.
o If the Receiving Server ("xmpp.example.com") has also negotiated a
valid connection in the other direction (from the Receiving Server
to the Originating Server), then that connection is ipso facto a
connection to the Authoritative Server for the first negotiation.
Therefore the receiving server can re-use that connection for
exchange of the <db:verify/> elements associated with the second
negotiation. The Authoritative Server SHOULD accept this element
rather than returning an error to the Receiving Server over the
previously negotiated connection.
These optimizations effectively enable "piggybacking" of the
previously negotiated connections.
C.5. Dialback Key Generation
As mentioned, the dialback key is generated based on four different
pieces of information:
o the hostname of the Originating Server
o the hostname of the Receiving Server
o the Stream ID
o a shared secret known by the Authoritative Server's network
The stream ID is security-critical in server dialback and therefore
MUST be both unpredictable and non-repeating (see [RANDOM] for
recommendations regarding randomness for security purposes).
It is RECOMMENDED for the dialback key to be the hexadecimal
representation of a Keyed-Hash Message Authentication Code (see
[HMAC]) that uses the SHA-256 algorithm (see [SHA]), as follows:
HMAC-SHA256
(
SHA256(secret),
{'Receiving Server' 'Originating Server' 'Stream ID'}
)
Saint-Andre Expires July 30, 2007 [Page 88]
Internet-Draft XMPP Core January 2007
The shared secret SHOULD either be set up in a configuration option
for each host or process within the Authoritative Server's network or
generated as a random string when starting each host or process. The
secret's length SHOULD be at least 128 bits or 16 characters long.
Consider the following scenario:
o The Originating Server is "example.org"
o The Receiving Server is "xmpp.example.com"
o The Stream ID is "D60000229F"
o The secret is "s3cr3tf0rd14lb4ck"
The resulting dialback key would be:
HMAC-SHA256
(
SHA256(secret),
{'Receiving Server' 'Originating Server' 'Stream ID'}
)
that is,
HMAC-SHA256
(SHA256('s3cr3tf0rd14lb4ck'),
{'xmpp.example.net',' ','example.org',' ','D60000229F'})
that is,
HMAC-SHA256
('a7136eb1f46c9ef18c5e78c36ca257067c69b3d518285f0b18a96c33beae9acc',
{'xmpp.example.com example.org D60000229F'})
that is,
37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643
C.6. Advertisement
Support for the server dialback protocol can be indicated in two
ways:
1. By inclusion of the server dialback feature in a given set of
stream features.
2. By inclusion of the dialback namespace declaration in the stream
header.
The former method is preferred, but the latter method is also
specified herein for the purpose of backwards-compatibility with
Saint-Andre Expires July 30, 2007 [Page 89]
Internet-Draft XMPP Core January 2007
older "XMPP 0.9" deployments.
The server dialback stream feature is advertised by including in any
given set of stream features a <dialback/> element qualified by the
'urn:xmpp:features:dialback' namespace; the <dialback/> element MAY
also include an empty <required/> element, indicating that the entity
sending the stream features requires dialback to be negotiated for
the stream.
Server2 informs Server1 that it supports (and requires) server
dialback:
<stream:features>
<dialback xmlns='urn:xmpp:features:dialback'>
<required/>
</dialback>
</stream:features>
As mentioned, support for the server dialback protocol can also be
advertised by including the dialback namespace declaration in a
stream header.
<stream:stream
xmlns='jabber:server'
xmlns:db='jabber:server:dialback'
xmlns:stream='http://etherx.jabber.org/streams'
from='example.com'
to='example.net'>
No matter which method is used, a service SHOULD advertise support
for server dialback only at a point in the stream negotiation when it
will accept negotiation of server dialback for that stream. For
example, if a service wishes to be backwards-compatible with older
"XMPP 0.9" deployments, it SHOULD include the server dialback
namespace declaration in the initial stream header it sends to other
servers (so that "XMPP 0.9" servers can proceed with dialback in the
absence of TLS and SASL authentication). However, in the midst of
stream negotiation with an XMPP 1.0 or higher server, a service
SHOULD advertise the dialback stream feature only at a point when
negotiation of server dialback is allowed in accordance with local
service policies (e.g., after TLS negotiation in the case when a
self-signed certificate was presented by the Originating Server and
local service policies stipulate that it is preferable to weakly
identify the Originating Server via server dialback rather than
depend on the self-signed certificate for identity verification).
Saint-Andre Expires July 30, 2007 [Page 90]
Internet-Draft XMPP Core January 2007
Appendix D. XML Schemas
The following XML schemas are descriptive, not normative. For
schemas defining the 'jabber:client' and 'jabber:server' namespaces,
refer to [XMPP-IM].
D.1. Streams namespace
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='http://etherx.jabber.org/streams'
xmlns='http://etherx.jabber.org/streams'
elementFormDefault='unqualified'>
<xs:import namespace='jabber:client'/>
<xs:import namespace='jabber:server'/>
<xs:import namespace='jabber:server:dialback'/>
<xs:element name='stream'>
<xs:complexType>
<xs:sequence xmlns:client='jabber:client'
xmlns:server='jabber:server'
xmlns:db='jabber:server:dialback'>
<xs:element ref='features' minOccurs='0' maxOccurs='1'/>
<xs:any namespace='urn:ietf:params:xml:ns:xmpp-tls'
minOccurs='0'
maxOccurs='unbounded'/>
<xs:any namespace='urn:ietf:params:xml:ns:xmpp-sasl'
minOccurs='0'
maxOccurs='unbounded'/>
<xs:choice minOccurs='0' maxOccurs='1'>
<xs:choice minOccurs='0' maxOccurs='unbounded'>
<xs:element ref='client:message'/>
<xs:element ref='client:presence'/>
<xs:element ref='client:iq'/>
</xs:choice>
<xs:choice minOccurs='0' maxOccurs='unbounded'>
<xs:element ref='server:message'/>
<xs:element ref='server:presence'/>
<xs:element ref='server:iq'/>
<xs:element ref='db:result'/>
<xs:element ref='db:verify'/>
</xs:choice>
</xs:choice>
<xs:element ref='error' minOccurs='0' maxOccurs='1'/>
</xs:sequence>
Saint-Andre Expires July 30, 2007 [Page 91]
Internet-Draft XMPP Core January 2007
<xs:attribute name='from' type='xs:string' use='optional'/>
<xs:attribute name='id' type='xs:NMTOKEN' use='optional'/>
<xs:attribute name='to' type='xs:string' use='optional'/>
<xs:attribute name='version' type='xs:decimal' use='optional'/>
<xs:attribute ref='xml:lang' use='optional'/>
</xs:complexType>
</xs:element>
<xs:element name='features'>
<xs:complexType>
<xs:any namespace='##other'/>
</xs:complexType>
</xs:element>
<xs:element name='error'>
<xs:complexType>
<xs:sequence xmlns:err='urn:ietf:params:xml:ns:xmpp-streams'>
<xs:group ref='err:streamErrorGroup'/>
<xs:element ref='err:text'
minOccurs='0'
maxOccurs='1'/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
D.2. Stream error namespace
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-streams'
xmlns='urn:ietf:params:xml:ns:xmpp-streams'
elementFormDefault='qualified'>
<xs:element name='bad-format' type='empty'/>
<xs:element name='bad-namespace-prefix' type='empty'/>
<xs:element name='conflict' type='empty'/>
<xs:element name='connection-timeout' type='empty'/>
<xs:element name='host-gone' type='empty'/>
<xs:element name='host-unknown' type='empty'/>
<xs:element name='improper-addressing' type='empty'/>
<xs:element name='internal-server-error' type='empty'/>
<xs:element name='invalid-from' type='empty'/>
<xs:element name='invalid-id' type='empty'/>
<xs:element name='invalid-namespace' type='empty'/>
Saint-Andre Expires July 30, 2007 [Page 92]
Internet-Draft XMPP Core January 2007
<xs:element name='invalid-xml' type='empty'/>
<xs:element name='not-authorized' type='empty'/>
<xs:element name='policy-violation' type='empty'/>
<xs:element name='remote-connection-failed' type='empty'/>
<xs:element name='resource-constraint' type='empty'/>
<xs:element name='restricted-xml' type='empty'/>
<xs:element name='see-other-host' type='xs:string'/>
<xs:element name='system-shutdown' type='empty'/>
<xs:element name='undefined-condition' type='empty'/>
<xs:element name='unsupported-encoding' type='empty'/>
<xs:element name='unsupported-stanza-type' type='empty'/>
<xs:element name='unsupported-version' type='empty'/>
<xs:element name='xml-not-well-formed' type='empty'/>
<xs:group name='streamErrorGroup'>
<xs:choice>
<xs:element ref='bad-format'/>
<xs:element ref='bad-namespace-prefix'/>
<xs:element ref='conflict'/>
<xs:element ref='connection-timeout'/>
<xs:element ref='host-gone'/>
<xs:element ref='host-unknown'/>
<xs:element ref='improper-addressing'/>
<xs:element ref='internal-server-error'/>
<xs:element ref='invalid-from'/>
<xs:element ref='invalid-id'/>
<xs:element ref='invalid-namespace'/>
<xs:element ref='invalid-xml'/>
<xs:element ref='not-authorized'/>
<xs:element ref='policy-violation'/>
<xs:element ref='remote-connection-failed'/>
<xs:element ref='resource-constraint'/>
<xs:element ref='restricted-xml'/>
<xs:element ref='see-other-host'/>
<xs:element ref='system-shutdown'/>
<xs:element ref='undefined-condition'/>
<xs:element ref='unsupported-encoding'/>
<xs:element ref='unsupported-stanza-type'/>
<xs:element ref='unsupported-version'/>
<xs:element ref='xml-not-well-formed'/>
</xs:choice>
</xs:group>
<xs:element name='text'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:string'>
<xs:attribute ref='xml:lang' use='optional'/>
Saint-Andre Expires July 30, 2007 [Page 93]
Internet-Draft XMPP Core January 2007
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
D.3. TLS namespace
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-tls'
xmlns='urn:ietf:params:xml:ns:xmpp-tls'
elementFormDefault='qualified'>
<xs:element name='starttls'>
<xs:complexType>
<xs:sequence>
<xs:element name='required'
minOccurs='0'
type='empty'/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='proceed' type='empty'/>
<xs:element name='failure' type='empty'/>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
D.4. SASL namespace
<?xml version='1.0' encoding='UTF-8'?>
Saint-Andre Expires July 30, 2007 [Page 94]
Internet-Draft XMPP Core January 2007
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-sasl'
xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
elementFormDefault='qualified'>
<xs:element name='mechanisms'>
<xs:complexType>
<xs:sequence>
<xs:element name='mechanism'
maxOccurs='unbounded'
type='xs:string'/>
<xs:element name='required'
minOccurs='0'
type='empty'/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='auth'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:string'>
<xs:attribute name='mechanism'
type='xs:string'
use='optional'/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name='challenge' type='xs:string'/>
<xs:element name='response' type='xs:string'/>
<xs:element name='abort' type='empty'/>
<xs:element name='success' type='xs:string'/>
<xs:element name='failure'>
<xs:complexType>
<xs:choice minOccurs='0'>
<xs:element name='aborted' type='empty'/>
<xs:element name='incorrect-encoding' type='empty'/>
<xs:element name='invalid-authzid' type='empty'/>
<xs:element name='invalid-mechanism' type='empty'/>
<xs:element name='malformed-request' type='empty'/>
<xs:element name='mechanism-too-weak' type='empty'/>
<xs:element name='not-authorized' type='empty'/>
<xs:element name='temporary-auth-failure' type='empty'/>
</xs:choice>
Saint-Andre Expires July 30, 2007 [Page 95]
Internet-Draft XMPP Core January 2007
</xs:complexType>
</xs:element>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
D.5. Resource binding namespace
Saint-Andre Expires July 30, 2007 [Page 96]
Internet-Draft XMPP Core January 2007
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-bind'
xmlns='urn:ietf:params:xml:ns:xmpp-bind'
elementFormDefault='qualified'>
<xs:element name='bind'>
<xs:complexType>
<xs:sequence>
<xs:choice minOccurs='0' maxOccurs='1'>
<xs:element name='resource' type='resourceType'/>
<xs:element name='jid' type='fullJIDType'/>
</xs:choice>
<xs:element name='required'
minOccurs='0'
maxOccurs='1'
type='empty'/>
</xs:choice>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='unbind'>
<xs:complexType>
<xs:sequence minOccurs='0'>
<xs:element name='resource' type='resourceType'/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:simpleType name='resourceType'>
<xs:restriction base='xs:string'>
<xs:minLength value='1'/>
<xs:maxLength value='1023'/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name='fullJIDType'>
<xs:restriction base='xs:string'>
<xs:minLength value='8'/>
<xs:maxLength value='3071'/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
Saint-Andre Expires July 30, 2007 [Page 97]
Internet-Draft XMPP Core January 2007
D.6. Dialback namespace
Saint-Andre Expires July 30, 2007 [Page 98]
Internet-Draft XMPP Core January 2007
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='jabber:server:dialback'
xmlns='jabber:server:dialback'
elementFormDefault='qualified'>
<xs:element name='result'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:token'>
<xs:attribute name='from' type='xs:string' use='required'/>
<xs:attribute name='to' type='xs:string' use='required'/>
<xs:attribute name='type' use='optional'>
<xs:simpleType>
<xs:restriction base='xs:NCName'>
<xs:enumeration value='invalid'/>
<xs:enumeration value='valid'/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name='verify'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:token'>
<xs:attribute name='from' type='xs:string' use='required'/>
<xs:attribute name='id' type='xs:NMTOKEN' use='required'/>
<xs:attribute name='to' type='xs:string' use='required'/>
<xs:attribute name='type' use='optional'>
<xs:simpleType>
<xs:restriction base='xs:NCName'>
<xs:enumeration value='invalid'/>
<xs:enumeration value='valid'/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:schema>
Saint-Andre Expires July 30, 2007 [Page 99]
Internet-Draft XMPP Core January 2007
D.7. Server dialback stream feature namespace
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:xmpp:features:dialback'
xmlns='urn:xmpp:features:dialback'
elementFormDefault='qualified'>
<xs:element name='dialback'>
<xs:complexType>
<xs:sequence>
<xs:element name='required'
minOccurs='0'
maxOccurs='1'
type='empty'/>
</xs:sequence>
</xs:complexType>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
D.8. Stanza error namespace
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:ietf:params:xml:ns:xmpp-stanzas'
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'
elementFormDefault='qualified'>
<xs:element name='bad-request' type='empty'/>
<xs:element name='conflict' type='empty'/>
<xs:element name='feature-not-implemented' type='empty'/>
<xs:element name='forbidden' type='empty'/>
<xs:element name='gone' type='xs:string'/>
<xs:element name='internal-server-error' type='empty'/>
<xs:element name='item-not-found' type='empty'/>
<xs:element name='jid-malformed' type='empty'/>
<xs:element name='not-acceptable' type='empty'/>
<xs:element name='not-allowed' type='empty'/>
Saint-Andre Expires July 30, 2007 [Page 100]
Internet-Draft XMPP Core January 2007
<xs:element name='not-modified' type='empty'/>
<xs:element name='payment-required' type='empty'/>
<xs:element name='recipient-unavailable' type='empty'/>
<xs:element name='redirect' type='xs:string'/>
<xs:element name='registration-required' type='empty'/>
<xs:element name='remote-server-not-found' type='empty'/>
<xs:element name='remote-server-timeout' type='empty'/>
<xs:element name='resource-constraint' type='empty'/>
<xs:element name='service-unavailable' type='empty'/>
<xs:element name='subscription-required' type='empty'/>
<xs:element name='undefined-condition' type='empty'/>
<xs:element name='unexpected-request' type='empty'/>
<xs:group name='stanzaErrorGroup'>
<xs:choice>
<xs:element ref='bad-request'/>
<xs:element ref='conflict'/>
<xs:element ref='feature-not-implemented'/>
<xs:element ref='forbidden'/>
<xs:element ref='gone'/>
<xs:element ref='internal-server-error'/>
<xs:element ref='item-not-found'/>
<xs:element ref='jid-malformed'/>
<xs:element ref='not-acceptable'/>
<xs:element ref='not-allowed'/>
<xs:element ref='not-modified'/>
<xs:element ref='payment-required'/>
<xs:element ref='recipient-unavailable'/>
<xs:element ref='redirect'/>
<xs:element ref='registration-required'/>
<xs:element ref='remote-server-not-found'/>
<xs:element ref='remote-server-timeout'/>
<xs:element ref='resource-constraint'/>
<xs:element ref='service-unavailable'/>
<xs:element ref='subscription-required'/>
<xs:element ref='undefined-condition'/>
<xs:element ref='unexpected-request'/>
</xs:choice>
</xs:group>
<xs:element name='text'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:string'>
<xs:attribute ref='xml:lang' use='optional'/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
Saint-Andre Expires July 30, 2007 [Page 101]
Internet-Draft XMPP Core January 2007
</xs:element>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
Appendix E. Contact Addresses
Consistent with [MAILBOXES], an organization that offers an XMPP
service SHOULD provide an Internet mailbox of "XMPP" for inquiries
related to that service, where the host portion of the resulting
mailto URI SHOULD be the organization's domain, not necessarily the
domain of the XMPP service itself (e.g., the XMPP service might be
offered at im.example.net but the Internet mailbox should be
<xmpp@example.net>).
In addition, the XMPP service SHOULD provide a way to discover the
XMPP contact address(es) of the service administrator(s), as
specified in [XEP-0157].
Appendix F. Differences From RFC 3920
Based on consensus derived from implementation and deployment
experience as well as formal interoperability testing, the following
modifications were made from RFC 3920. In addition, several other
changes were made to more clearly specify and explain the protocols.
o Corrected the ABNF syntax for JIDs to prevent zero-length node
identifiers, domain identifiers, and resource identifiers.
o Corrected the nameprep processing rules to require use of the
UseSTD3ASCIIRules flag.
o Encouraged use of the 'from' and 'to' attributes stream headers.
o More clearly specified stream closing handshake.
o Specified recommended stream reconnection algorithm.
o Specified return of <restricted-xml/> stream error in response to
receipt of restricted XML.
o Specified that SASL mechanisms must be sent both before and after
negotiation of TLS and of SASL security layers.
o Specified that TLS plus SASL PLAIN is a mandatory-to-implement
technology for client-to-server connections, since implementation
of SASL EXTERNAL is uncommon in XMPP clients, in part because
underlying security features such as X.509 certificates are not
Saint-Andre Expires July 30, 2007 [Page 102]
Internet-Draft XMPP Core January 2007
yet widely deployed.
o Added the <malformed-request/> SASL error condition to handle an
error case discussed in RFC 4422.
o More clearly specified binding of multiple resources to the same
stream.
o Added the <not-modified/> stanza error condition to enable
potential ETags usage.
o Added the <unknown-sender/> stanza error condition to provide
appropriate handling of stanzas when multiple resources are bound
to the same stream.
o Added section on advertisement of server dialback support,
including server dialback stream feature.
o Recommended use of HMAC-SHA256 for generation of server dialback
key.
Author's Address
Peter Saint-Andre (editor)
XMPP Standards Foundation
Email: stpeter@jabber.org
URI: xmpp:stpeter@jabber.org
Saint-Andre Expires July 30, 2007 [Page 103]
Internet-Draft XMPP Core January 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Saint-Andre Expires July 30, 2007 [Page 104]
| PAFTECH AB 2003-2026 | 2026-04-24 01:14:52 |