Hi there, In XEP-0045 it says that (§17.4#3):
> If an occupant wants to send an IQ stanza to another user in a semi-anonymous > room, the sender can direct the stanza to the recipient's occupant JID and > the service SHOULD forward the stanza to the recipient's real JID. However, > the MUC service MUST NOT reveal the sender's real JID to the recipient at any > time, nor reveal the recipient's real JID to the sender. While the XEP is very specific, that <message>s are to be routed to the full JID of each occupant, it does not specify, if <iq>s are to be routed to the users full or bare JID. Currently server implementations seem to have diverting behavior in this regard: ejabberd and Prosody<0.11 route IQs to the full JID (any of them if there are multiple) except if the IQ contains a vCard query, which is send to the bare JID. Prosody 0.11+ routes PubSub IQs to the bare JID. ejabberd allows to disable IQ forwarding on a per room basis (allow_query_users config). Also I wonder regarding the statement that the service must not reveal the recipient's real JID to the sender: vCards do have a JABBERID field that might be set to the users real JID. Doing so will normally only reveal the JABBERID to users that already have it, as this is a requirement to fetch the vCard outside of MUCs. If MUCs forward IQ requests for the vCard, they reveal the vCard's JABBERID, that they only could retrieve because they knew the real JID, and thus they do reveal the recipient's real JID to the sender. As the recipient server does not know if the vCard request comes from a MUC, it assumes it's a normal user and thus cannot apply any privacy filtering. Other information (beside JABBERID) that can be retrieved using vCard or PubSub may contain privacy sensitive information (including the Avatar, which I believe to be one of the main reasons servers have the described behavior). During ongoing XMPP sprint we found that it probably would be best if we do not route IQs in semi-anonymous MUCs (even pings have the issue of revealing a RTT which can be used to estimate the location of the other occupant or their server). However this is contrary to both, current implementations and the specification in XEP-0045. What is supposed to be the correct behavior? Can we clarify in XEP-0045§17.4 how to correctly route IQs in a MUC? Should we expect MUC servers to modify the vCard to ensure they don't reveal the real JID? Thanks for any feedback, Marvin _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
