idnits 2.17.1 draft-saintandre-rfc4622bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1028. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1039. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1046. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1052. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 12, 2007) is 6163 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4234 (ref. 'ABNF') (Obsoleted by RFC 5234) ** Obsolete normative reference: RFC 3920 (ref. 'XMPP-CORE') (Obsoleted by RFC 6120) -- Obsolete informational reference (is this intentional?): RFC 2617 (ref. 'HTTP-AUTH') (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 3490 (ref. 'IDNA') (Obsoleted by RFC 5890, RFC 5891) -- Obsolete informational reference (is this intentional?): RFC 2368 (ref. 'MAILTO') (Obsoleted by RFC 6068) -- Obsolete informational reference (is this intentional?): RFC 3454 (ref. 'STRINGPREP') (Obsoleted by RFC 7564) -- Obsolete informational reference (is this intentional?): RFC 4395 (ref. 'URI-SCHEMES') (Obsoleted by RFC 7595) -- Obsolete informational reference (is this intentional?): RFC 3921 (ref. 'XMPP-IM') (Obsoleted by RFC 6121) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Saint-Andre 3 Internet-Draft XSF 4 Obsoletes: 4622 (if approved) June 12, 2007 5 Intended status: Standards Track 6 Expires: December 14, 2007 8 Internationalized Resource Identifiers (IRIs) and Uniform Resource 9 Identifiers (URIs) for the Extensible Messaging and Presence Protocol 10 (XMPP) 11 draft-saintandre-rfc4622bis-01 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on December 14, 2007. 38 Copyright Notice 40 Copyright (C) The IETF Trust (2007). 42 Abstract 44 This document defines the use of Internationalized Resource 45 Identifiers (IRIs) and Uniform Resource Identifiers (URIs) in 46 identifying or interacting with entities that can communicate via the 47 Extensible Messaging and Presence Protocol (XMPP). 49 This document obsoletes RFC 4622. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Use of XMPP IRIs and URIs . . . . . . . . . . . . . . . . . . 3 56 2.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2.2. Form . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 2.3. Authority Component . . . . . . . . . . . . . . . . . . . 6 59 2.4. Path Component . . . . . . . . . . . . . . . . . . . . . . 7 60 2.5. Query Component . . . . . . . . . . . . . . . . . . . . . 8 61 2.6. Fragment Identifier Component . . . . . . . . . . . . . . 9 62 2.7. Generation of XMPP IRIs/URIs . . . . . . . . . . . . . . . 9 63 2.8. Processing of XMPP IRIs/URIs . . . . . . . . . . . . . . . 12 64 2.9. Internationalization . . . . . . . . . . . . . . . . . . . 14 65 3. IANA Registration of xmpp URI Scheme . . . . . . . . . . . . . 14 66 3.1. URI Scheme Name . . . . . . . . . . . . . . . . . . . . . 15 67 3.2. Status . . . . . . . . . . . . . . . . . . . . . . . . . . 15 68 3.3. URI Scheme Syntax . . . . . . . . . . . . . . . . . . . . 15 69 3.4. URI Scheme Semantics . . . . . . . . . . . . . . . . . . . 15 70 3.5. Encoding Considerations . . . . . . . . . . . . . . . . . 15 71 3.6. Applications/Protocols That Use This URI Scheme Name . . . 16 72 3.7. Interoperability Considerations . . . . . . . . . . . . . 16 73 3.8. Security Considerations . . . . . . . . . . . . . . . . . 16 74 3.9. Contact . . . . . . . . . . . . . . . . . . . . . . . . . 16 75 3.10. Author/Change Controller . . . . . . . . . . . . . . . . . 16 76 3.11. References . . . . . . . . . . . . . . . . . . . . . . . . 16 77 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 78 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 79 5.1. Reliability and Consistency . . . . . . . . . . . . . . . 17 80 5.2. Malicious Construction . . . . . . . . . . . . . . . . . . 18 81 5.3. Back-End Transcoding . . . . . . . . . . . . . . . . . . . 18 82 5.4. Sensitive Information . . . . . . . . . . . . . . . . . . 18 83 5.5. Semantic Attacks . . . . . . . . . . . . . . . . . . . . . 19 84 5.6. Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . 19 85 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 86 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 87 7.1. Normative References . . . . . . . . . . . . . . . . . . . 19 88 7.2. Informative References . . . . . . . . . . . . . . . . . . 20 89 Appendix A. Differences From RFC 4622 . . . . . . . . . . . . . . 22 90 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 91 Intellectual Property and Copyright Statements . . . . . . . . . . 23 93 1. Introduction 95 The Extensible Messaging and Presence Protocol (XMPP) is a streaming 96 XML technology that enables any two entities on a network to exchange 97 well-defined but extensible XML elements (called "XML stanzas") at a 98 rate close to real time. 100 As specified in [XMPP-CORE], entity addresses as used in 101 communications over an XMPP network must not be prepended with a 102 Uniform Resource Identifier (URI) scheme (as specified in [URI]). 103 However, applications external to an XMPP network may need to 104 identify XMPP entities either as URIs or, in a more modern fashion, 105 as Internationalized Resource Identifiers (IRIs; see [IRI]). 106 Examples of such external applications include databases that need to 107 store XMPP addresses and non-native user agents such as web browsers 108 and calendaring applications that provide interfaces to XMPP 109 services. 111 The format for an XMPP address is defined in [XMPP-CORE]. Such an 112 address may contain nearly any [UNICODE] character and must adhere to 113 various profiles of [STRINGPREP]. The result is that an XMPP address 114 is fully internationalizable and is very close to being an IRI 115 without a scheme. However, given that there is no freestanding 116 registry of IRI schemes, it is necessary to define XMPP identifiers 117 primarily as URIs rather than as IRIs, and to register an XMPP URI 118 scheme instead of an IRI scheme. Therefore, this document does the 119 following: 121 o Specifies how to identify XMPP entities as IRIs or URIs. 122 o Specifies how to interact with XMPP entities as IRIs or URIs. 123 o Formally defines the syntax for XMPP IRIs and URIs. 124 o Specifies how to transform XMPP IRIs into URIs and vice-versa. 125 o Registers the xmpp URI scheme. 127 1.1. Terminology 129 This document inherits terminology from [IRI], [URI], and 130 [XMPP-CORE]. 132 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 133 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 134 document are to be interpreted as described in RFC 2119 [TERMS]. 136 2. Use of XMPP IRIs and URIs 137 2.1. Rationale 139 As described in [XMPP-IM], instant messaging and presence 140 applications of XMPP must handle im: and pres: URIs (as specified by 141 [CPIM] and [CPP]). However, there are many other applications of 142 XMPP (including network management, workflow systems, generic 143 publish-subscribe, remote procedure calls, content syndication, 144 gaming, and middleware), and these applications do not implement 145 instant messaging and presence semantics. Neither does a generic 146 XMPP entity implement the semantics of any existing URI scheme, such 147 as the http:, ftp:, or mailto: scheme. Therefore, it is appropriate 148 to define a new URI scheme that makes it possible to identify or 149 interact with any XMPP entity (not just instant messaging and 150 presence entities) as an IRI or URI. 152 XMPP IRIs and URIs are defined for use by non-native interfaces and 153 applications, and primarily for the purpose of identification rather 154 than of interaction (on the latter distinction, see Section 1.2.2 of 155 [URI]). In order to ensure interoperability on XMPP networks, when 156 data is routed to an XMPP entity (e.g., when an XMPP address is 157 contained in the 'to' or 'from' attribute of an XML stanza) or an 158 XMPP entity is otherwise identified in standard XMPP protocol 159 elements, the entity MUST be addressed as <[node@]domain[/resource]> 160 (i.e., without a prepended scheme), where the "node identifier", 161 "domain identifier", and "resource identifier" portions of an XMPP 162 address conform to the definitions provided in Section 3 of 163 [XMPP-CORE]. 165 Note: For historical reasons, the term "resource identifier" is used 166 in XMPP to refer to the optional portion of an XMPP address that 167 follows the domain identifier and the "/" separator character (for 168 details, refer to Section 3.4 of [XMPP-CORE]); this use of the term 169 "resource identifier" is not to be confused with the meanings of 170 "resource" and "identifier" provided in Section 1.1 of [URI]. 172 2.2. Form 174 As described in [XMPP-CORE], an XMPP address used natively on an XMPP 175 network is a string of Unicode characters that (1) conforms to a 176 certain set of [STRINGPREP] profiles and [IDNA] restrictions, (2) 177 follows a certain set of syntax rules, and (3) is encoded as [UTF-8]. 178 The form of such an address can be represented using Augmented 179 Backus-Naur Form ([ABNF]) as: 181 [ node "@" ] domain [ "/" resource ] 183 In this context, the "node" and "resource" rules rely on distinct 184 profiles of [STRINGPREP], and the "domain" rule relies on the concept 185 of an internationalized domain name as described in [IDNA]. (Note: 186 There is no need to refer to punycode in the IRI syntax itself, since 187 any punycode representation would occur only inside an XMPP 188 application in order to represent internationalized domain names. 189 However, it is the responsibility of the processing application to 190 convert [IRI] syntax into [IDNA] syntax before addressing XML stanzas 191 to the specified entity on an XMPP network.) 193 Certain characters are allowed in XMPP node identifiers and XMPP 194 resource identifiers but not in the relevant portion of an IRI or 195 URI. The characters are as follows: 197 In node identifiers: [ \ ] ^ ` { | } 198 In resource identifiers: " < > [ \ ] ^ ` { | } 200 The node identifier characters are not allowed in userinfo by the 201 sub-delims rule and the resource identifier characters are not 202 allowed in segment by the pchar rule. These characters MUST be 203 percent-encoded when transforming an XMPP address into an XMPP IRI or 204 URI. 206 Naturally, in order to be converted into an IRI or URI, an XMPP 207 address must be prepended with a scheme (specifically, the xmpp 208 scheme) and may also need to undergo transformations that adhere to 209 the rules defined in [IRI] and [URI]. Furthermore, in order to 210 enable more advanced interaction with an XMPP entity rather than 211 simple identification, it is desirable to take advantage of 212 additional aspects of URI syntax and semantics, such as authority 213 components, query components, and fragment identifier components. 215 Therefore, the ABNF syntax for an XMPP IRI is defined as shown below 216 using Augmented Backus-Naur Form specified by [ABNF], where the 217 "ifragment", "ihost", and "iunreserved" rules are defined in [IRI], 218 the "pct-encoded" rule is defined in [URI]: 220 xmppiri = "xmpp" ":" ihierxmpp 221 [ "?" iquerycomp ] 222 [ "#" ifragment ] 223 ihierxmpp = iauthpath / ipathxmpp 224 iauthpath = "//" iauthxmpp [ "/" ipathxmpp ] 225 iauthxmpp = inodeid "@" ihost 226 ipathxmpp = [ inodeid "@" ] ihost [ "/" iresid ] 227 inodeid = *( iunreserved / pct-encoded / nodeallow ) 228 nodeallow = "!" / "$" / "(" / ")" / "*" / "+" / "," / ";" / "=" 229 iresid = *( iunreserved / pct-encoded / resallow ) 230 resallow = "!" / "$" / "&" / "'" / "(" / ")" / 231 "*" / "+" / "," / ":" / ";" / "=" / 232 iquerycomp = iquerytype [ *ipair ] 233 iquerytype = *iunreserved 234 ipair = ";" ikey "=" ivalue 235 ikey = *iunreserved 236 ivalue = *( iunreserved / pct-encoded ) 238 However, the foregoing syntax is not appropriate for inclusion in the 239 registration of the xmpp URI scheme, since the IANA recognizes only 240 URI schemes and not IRI schemes. Therefore, the ABNF syntax for an 241 XMPP URI rather than for IRI is defined as shown in Section 3.3 of 242 this document (see below under "IANA Registration"). If it is 243 necessary to convert the IRI syntax into URI syntax, an application 244 MUST adhere to the mapping procedure specified in Section 3.1 of 245 [IRI]. 247 The following is an example of a basic XMPP IRI/URI used for purposes 248 of identifying a node associated with an XMPP server: 250 xmpp:node@example.com 252 Descriptions of the various components of an XMPP IRI/URI are 253 provided in the following sections. 255 2.3. Authority Component 257 As explained in Section 2.8 of this document, in the absence of an 258 authority component, the processing application would authenticate as 259 a configured user at a configured XMPP server. That is, the 260 authority component section is unnecessary and should be ignored if 261 the processing application has been configured with a set of default 262 credentials. 264 In accordance with Section 3.2 of RFC 3986, the authority component 265 is preceded by a double slash ("//") and is terminated by the next 266 slash ("/"), question mark ("?"), or number sign ("#") character, or 267 by the end of the IRI/URI. As explained more fully in Section 2.8.1 268 of this document, the presence of an authority component signals the 269 processing application to authenticate as the node@domain specified 270 in the authority component rather than as a configured node@domain 271 (see the Security Considerations section of this document regarding 272 authentication). (While it is unlikely that the authority component 273 will be included in most XMPP IRIs or URIs, the scheme allows for its 274 inclusion, if appropriate.) Thus, the following XMPP IRI/URI 275 indicates to authenticate as "guest@example.com": 277 xmpp://guest@example.com 279 Note well that this is quite different from the following XMPP IRI/ 280 URI, which identifies a node "guest@example.com" but does not signal 281 the processing application to authenticate as that node: 283 xmpp:guest@example.com 285 Similarly, using a possible query component of "?message" to trigger 286 an interface for sending a message, the following XMPP IRI/URI 287 signals the processing application to authenticate as 288 "guest@example.com" and to send a message to "support@example.com": 290 xmpp://guest@example.com/support@example.com?message 292 By contrast, the following XMPP IRI/URI signals the processing 293 application to authenticate as its configured default account and to 294 send a message to "support@example.com": 296 xmpp:support@example.com?message 298 2.4. Path Component 300 The path component of an XMPP IRI/URI identifies an XMPP address or 301 specifies the XMPP address to which an XML stanza shall be directed 302 at the end of IRI/URI processing. 304 For example, the following XMPP IRI/URI identifies a node associated 305 with an XMPP server: 307 xmpp:example-node@example.com 309 The following XMPP IRI/URI identifies a node associated with an XMPP 310 server along with a particular XMPP resource identifier associated 311 with that node: 313 xmpp:example-node@example.com/some-resource 315 Inclusion of a node is optional in XMPP addresses, so the following 316 XMPP IRI/URI simply identifies an XMPP server: 318 xmpp:example.com 320 2.5. Query Component 322 There are many potential use cases for encapsulating information in 323 the query component of an XMPP IRI/URI; examples include but are not 324 limited to: 326 o sending an XMPP message stanza (see [XMPP-IM]), 327 o adding a roster item (see [XMPP-IM]), 328 o sending a presence subscription (see [XMPP-IM]), 329 o probing for current presence information (see [XMPP-IM]), 330 o triggering a remote procedure call (see [XEP-0009]), 331 o discovering the identity or capabilities of another entity (see 332 [XEP-0030]), 333 o joining an XMPP-based text chat room (see [XEP-0045]), 334 o interacting with publish-subscribe channels (see [XEP-0060]), 335 o providing a SOAP interface (see [XEP-0072]), and 336 o registering with another entity (see [XEP-0077]). 338 Many of these potential use cases are application specific, and the 339 full range of such applications cannot be foreseen in advance given 340 the continued expansion in XMPP development; however, there is 341 agreement within the Jabber/XMPP developer community that all the 342 uses envisioned to date can be encapsulated via a "query type", 343 optionally supplemented by one or more "key-value" pairs (this is 344 similar to the "application/x-www-form-urlencoded" MIME type 345 described in [HTML]). 347 As an example, an XMPP IRI/URI intended to launch an interface for 348 sending a message to the XMPP entity "example-node@example.com" might 349 be represented as follows: 351 xmpp:example-node@example.com?message 353 Similarly, an XMPP IRI/URI intended to launch an interface for 354 sending a message to the XMPP entity "example-node@example.com" with 355 a particular subject might be represented as follows: 357 xmpp:example-node@example.com?message;subject=Hello%20World 359 If the processing application does not understand query components or 360 the specified query type, it MUST ignore the query component and 361 treat the IRI/URI as consisting of, for example, 362 rather than 363 . If the processing application 364 does not understand a particular key within the query component, it 365 MUST ignore that key and its associated value. 367 As noted, there exist many kinds of XMPP applications (both actual 368 and potential), and such applications may define query types and keys 369 for use in the query component portion of XMPP URIs. The XMPP 370 Registrar function (see [XEP-0053]) of the XMPP Standards Foundation 371 maintains a registry of such query types and keys at 372 . To help ensure 373 interoperability, any application using the formats defined in this 374 document SHOULD submit any associated query types and keys to that 375 registry in accordance with the procedures specified in [XEP-0147]. 377 2.6. Fragment Identifier Component 379 As stated in Section 3.5 of [URI], "The fragment identifier component 380 of a URI allows indirect identification of a secondary resource by 381 reference to a primary resource and additional identifying 382 information." Because the resource identified by an XMPP IRI/URI 383 does not make available any media type (see [MIME]) and therefore (in 384 the terminology of [URI]) no representation exists at an XMPP 385 resource, the semantics of the fragment identifier component in XMPP 386 IRIs/URIs are to be "considered unknown and, effectively, 387 unconstrained" (ibid.). Particular XMPP applications MAY make use of 388 the fragment identifier component for their own purposes. However, 389 if a processing application does not understand fragment identifier 390 components or the syntax of a particular fragment identifier 391 component included in an XMPP IRI/URI, it MUST ignore the fragment 392 identifier component. 394 2.7. Generation of XMPP IRIs/URIs 396 2.7.1. Generation Method 398 In order to form an XMPP IRI from an XMPP node identifier, domain 399 identifier, and resource identifier, the generating application MUST 400 first ensure that the XMPP address conforms to the rules specified in 401 [XMPP-CORE], including application of the relevant [STRINGPREP]; it 402 MUST then concatenate the following: 404 1. The "xmpp" scheme and the ":" character 405 2. Optionally (if an authority component is to be included before 406 the node identifier), the characters "//", an authority component 407 of the form node@domain, and the character "/". 408 3. Optionally (if the XMPP address contained an XMPP "node 409 identifier"), a string of Unicode characters that conforms to the 410 "inodeid" rule, followed by the "@" character. 412 4. A string of Unicode characters that conforms to the "ihost" rule. 413 5. Optionally (if the XMPP address contained an XMPP "resource 414 identifier"), the character "/" and a string of Unicode 415 characters that conforms to the "iresid" rule. 416 6. Optionally (if a query component is to be included), the "?" 417 character and query component. 418 7. Optionally (if a fragment identifier component is to be 419 included), the "#" character and fragment identifier component. 421 In order to form an XMPP URI from the resulting IRI, an application 422 MUST adhere to the mapping procedure specified in Section 3.1 of 423 [IRI]. 425 2.7.2. Generation Notes 427 Certain characters are allowed in the node identifier, domain 428 identifier, and resource identifier portions of a native XMPP address 429 but prohibited by the "inodeid", "ihost", and "iresid" rules of an 430 XMPP IRI. Specifically, the "#" and "?" characters are allowed in 431 node identifiers, and the "/", "?", "#", and "@" characters are 432 allowed in resource identifiers, but these characters are used as 433 delimiters in XMPP IRIs. In addition, the " " ([US-ASCII] space) 434 character is allowed in resource identifiers but prohibited in IRIs. 435 Therefore, all the foregoing characters MUST be percent-encoded when 436 transforming an XMPP address into an XMPP IRI. 438 Consider the following nasty node in an XMPP address: 440 nasty!#$%()*+,-.;=?[\]^_`{|}~node@example.com 442 That address would be transformed into the following XMPP IRI (split 443 into two lines for layout purposes): 445 xmpp:nasty!%23$%25()*+,-.;=%3F%5B%5C%5D%5E_%60%7B%7C%7D~node 446 @example.com 448 Consider the following repulsive resource in an XMPP address (split 449 into two lines for layout purposes): 451 node@example.com 452 /repulsive !#"$%&'()*+,-./:;<=>?@[\]^_`{|}~resource 454 That address would be transformed into the following XMPP IRI (split 455 into three lines for layout purposes): 457 xmpp:node@example.com 458 /repulsive%20!%23%22$%25&'()*+,-.%2F:;%3C= 459 %3E%3F%40%5B%5C%5D%5E_%60%7B%7C%7D~resource 461 Furthermore, virtually any character outside the [US-ASCII] range is 462 allowed in an XMPP address and therefore also in an XMPP IRI, but URI 463 syntax forbids such characters directly and specifies that such 464 characters MUST be percent-encoded. In order to determine the URI 465 associated with an XMPP IRI, an application MUST adhere to the 466 mapping procedure specified in Section 3.1 of [IRI]. 468 2.7.3. Generation Example 470 Consider the following XMPP address: 472 474 Note: The string "ř" stands for the Unicode character LATIN 475 SMALL LETTER R WITH CARON, and the string "č" stands for the 476 Unicode character LATIN SMALL LETTER C WITH CARON, following the "XML 477 Notation" used in [IRI] to represent characters that cannot be 478 rendered in ASCII-only documents (note also that these characters are 479 represented in their stringprep canonical form). The '<' and '>' 480 characters are not part of the address itself but are provided to set 481 off the address for legibility. For those who do not read Czech, 482 this example could be Anglicized as "george@czech-lands.example/In 483 Prague". 485 In accordance with the process specified above, the generating 486 application would do the following to generate a valid XMPP IRI from 487 this address: 489 1. Ensure that the XMPP address conforms to the rules specified in 490 [XMPP-CORE], including application of the relevant [STRINGPREP] 491 profiles and encoding as a [UTF-8] string. 492 2. Concatenate the following: 493 1. The "xmpp" scheme and the ":" character. 494 2. An "authority component" if included (not shown in this 495 example). 496 3. A string of Unicode characters that represents the XMPP 497 address, transformed in accordance with the "inodeid", 498 "ihost", and "iresid" rules. 499 4. The "?" character followed by a "query component" if 500 appropriate to the application (not shown in this example). 501 5. The "#" character followed by a "fragment identifier 502 component" if appropriate to the application (not shown in 503 this example). 505 The result is this XMPP IRI: 507 509 In order to generate a valid XMPP URI from the foregoing IRI, the 510 application MUST adhere to the procedure specified in Section 3.1 of 511 [IRI], resulting in the following URI: 513 515 2.8. Processing of XMPP IRIs/URIs 517 2.8.1. Processing Method 519 If a processing application is presented with an XMPP URI and not 520 with an XMPP IRI, it MUST first convert the URI into an IRI by 521 following the procedure specified in Section 3.2 of [IRI]. 523 In order to decompose an XMPP IRI for interaction with the entity it 524 identifies, a processing application MUST separate: 526 1. The "xmpp" scheme and the ":" character. 527 2. The authority component, if included (the string of Unicode 528 characters between the "//" characters and the next "/" 529 character, the "?" character, the "#" character, or the end of 530 the IRI). 531 3. A string of Unicode characters that represents an XMPP address as 532 transformed in accordance with the "inodeid", "ihost", and 533 "iresid" rules. 534 4. Optionally the query component, if included, using the "?" 535 character as a separator. 536 5. Optionally the fragment identifier component, if included, using 537 the "#" character as a separator. 539 At this point, the processing application MUST ensure that the 540 resulting XMPP address conforms to the rules specified in 541 [XMPP-CORE], including application of the relevant [STRINGPREP]. The 542 processing application then would either (1) complete further XMPP 543 handling itself or (2) invoke a helper application to complete XMPP 544 handling; such XMPP handling would most likely consist of the 545 following steps: 547 1. If not already connected to an XMPP server, connect either as the 548 user specified in the authority component or as the configured 549 user at the configured XMPP server, normally by adhering to the 550 XMPP connection procedures defined in [XMPP-CORE]. (Note: The 551 processing application SHOULD ignore the authority component if 552 it has been configured with a set of default credentials.) 553 2. Optionally, determine the nature of the intended recipient (e.g., 554 via [XEP-0030]). 556 3. Optionally, present an appropriate interface to a user based on 557 the nature of the intended recipient and/or the contents of the 558 query component. 559 4. Generate an XMPP stanza that translates any user or application 560 inputs into their corresponding XMPP equivalents. 561 5. Send the XMPP stanza via the authenticated server connection for 562 delivery to the intended recipient. 564 2.8.2. Processing Notes 566 It may help implementors to note that the first two steps of "further 567 XMPP handling", as described at the end of Section 2.8.1, are similar 568 to HTTP authentication ([HTTP-AUTH]), while the next three steps are 569 similar to the handling of mailto: URIs ([MAILTO]). 571 As noted in Section 2.7.2 of this document, certain characters are 572 allowed in the node identifier, domain identifier, and resource 573 identifier portions of a native XMPP address but prohibited by the 574 "inodeid", "ihost", and "iresid" rules of an XMPP IRI. The percent- 575 encoded octets corresponding to these characters in XMPP IRIs MUST be 576 transformed into the characters allowed in XMPP addresses when 577 processing an XMPP IRI for interaction with the represented XMPP 578 entity. 580 Consider the following nasty node in an XMPP IRI (split into two 581 lines for layout purposes): 583 xmpp:nasty!%23$%25()*+,-.;=%3F%5B%5C%5D%5E_%60%7B%7C%7D~node 584 @example.com 586 That IRI would be transformed into the following XMPP address: 588 nasty!#$%()*+,-.;=?[\]^_`{|}~node@example.com 590 Consider the following repulsive resource in an XMPP IRI (split into 591 three lines for layout purposes): 593 xmpp:node@example.com 594 /repulsive%20!%23%22$%25&'()*+,-.%2F:;%3C 595 =%3E%3F%40%5B%5C%5D%5E_%60%7B%7C%7D~resource 597 That IRI would be transformed into the following XMPP address (split 598 into two lines for layout purposes): 600 node@example.com 601 /repulsive !#"$%&'()*+,-./:;<=>?@[\]^_`{|}~resource 603 2.8.3. Processing Example 605 Consider the XMPP URI that resulted from the previous example: 607 609 In order to generate a valid XMPP IRI from that URI, the application 610 MUST adhere to the procedure specified in Section 3.2 of [IRI], 611 resulting in the following IRI: 613 615 In accordance with the process specified above, the processing 616 application would remove the "xmpp" scheme and ":" character to 617 extract the XMPP address from this XMPP IRI, converting any percent- 618 encoded octets from the "inodeid", "ihost", and "iresid" rules into 619 their character equivalents (e.g., "%20" into the space character). 621 The result is this XMPP address: 623 625 2.9. Internationalization 627 Because XMPP addresses are [UTF-8] strings and because octets outside 628 the [US-ASCII] range within XMPP addresses can be easily converted to 629 percent-encoded octets, XMPP addresses are designed to work well with 630 Internationalized Resource Identifiers ([IRI]). In particular, with 631 the exceptions of stringprep verification, the conversion of syntax- 632 relevant [US-ASCII] characters (e.g., "?"), and the conversion of 633 percent-encoded octets from the "inodeid", "ihost", and "iresid" 634 rules into their character equivalents (e.g., "%20" into the 635 [US-ASCII] space character), an XMPP IRI can be constructed directly 636 by prepending the "xmpp" scheme and ":" character to an XMPP address. 637 Furthermore, an XMPP IRI can be converted into URI syntax by adhering 638 to the procedure specified in Section 3.1 of [IRI], and an XMPP URI 639 can be converted into IRI syntax by adhering to the procedure 640 specified in Section 3.2 of [IRI], thus ensuring interoperability 641 with applications that are able to process URIs but unable to process 642 IRIs. 644 3. IANA Registration of xmpp URI Scheme 646 In accordance with [URI-SCHEMES], this section provides the 647 information required to register the xmpp URI scheme. 649 3.1. URI Scheme Name 651 xmpp 653 3.2. Status 655 permanent 657 3.3. URI Scheme Syntax 659 The syntax for an xmpp URI is defined below using Augmented Backus- 660 Naur Form as specified by [ABNF], where the "fragment", "host", "pct- 661 encoded", and "unreserved" rules are defined in [URI]: 663 xmppuri = "xmpp" ":" hierxmpp [ "?" querycomp ] [ "#" fragment ] 664 hierxmpp = authpath / pathxmpp 665 authpath = "//" authxmpp [ "/" pathxmpp ] 666 authxmpp = nodeid "@" host 667 pathxmpp = [ nodeid "@" ] host [ "/" resid ] 668 nodeid = *( unreserved / pct-encoded / nodeallow ) 669 nodeallow = "!" / "$" / "(" / ")" / "*" / "+" / "," / ";" / "=" 670 resid = *( unreserved / pct-encoded / resallow ) 671 resallow = "!" / "$" / "&" / "'" / "(" / ")" / 672 "*" / "+" / "," / ":" / ";" / "=" / 673 querycomp = querytype [ *pair ] 674 querytype = *( unreserved / pct-encoded ) 675 pair = ";" key "=" value 676 key = *( unreserved / pct-encoded ) 677 value = *( unreserved / pct-encoded ) 679 3.4. URI Scheme Semantics 681 The xmpp URI scheme identifies entities that natively communicate 682 using the Extensible Messaging and Presence Protocol (XMPP), and is 683 mainly used for identification rather than for resource location. 684 However, if an application that processes an xmpp URI enables 685 interaction with the XMPP address identified by the URI, it MUST 686 follow the methodology defined in Section 2 of XXXX, Use of XMPP IRIs 687 and URIs, to reconstruct the encapsulated XMPP address, connect to an 688 appropriate XMPP server, and send an appropriate XMPP "stanza" (XML 689 fragment) to the XMPP address. (Note: There is no MIME type 690 associated with the xmpp URI scheme.) 692 3.5. Encoding Considerations 694 In addition to XMPP URIs, there will also be XMPP Internationalized 695 Resource Identifiers (IRIs). Prior to converting an Extensible 696 Messaging and Presence Protocol (XMPP) address into an IRI (and in 697 accordance with [XMPP-CORE]), the XMPP address must be represented as 698 [UTF-8] by the generating application (e.g., by transforming an 699 application's internal representation of the address as a UTF-16 700 string into a UTF-8 string), and the UTF-8 string must then be 701 prepended with the "xmpp" scheme and ":" character. However, because 702 an XMPP URI must contain only [US-ASCII] characters, the UTF-8 string 703 of an XMPP IRI must be transformed into URI syntax by adhering to the 704 procedure specified in RFC 3987. 706 3.6. Applications/Protocols That Use This URI Scheme Name 708 The xmpp URI scheme is intended to be used by interfaces to an XMPP 709 network from non-native user agents, such as web browsers, as well as 710 by non-native applications that need to identify XMPP entities as 711 full URIs or IRIs. 713 3.7. Interoperability Considerations 715 There are no known interoperability concerns related to use of the 716 xmpp URI scheme. In order to help ensure interoperability, the XMPP 717 Registrar function of the XMPP Standards Foundation maintains a 718 registry of query types and keys that can be used in the query 719 components of XMPP URIs and IRIs, located at 720 . 722 3.8. Security Considerations 724 See Section 5 of XXXX, Security Considerations. 726 3.9. Contact 728 Peter Saint-Andre [mailto:stpeter@jabber.org, 729 xmpp:stpeter@jabber.org] 731 3.10. Author/Change Controller 733 This scheme is registered under the IETF tree. As such, the IETF 734 maintains change control. 736 3.11. References 738 [XMPP-CORE] 740 4. IANA Considerations 742 This document updates the URI scheme registration created by RFC 743 4622. The registration template can be found in Section 3 of this 744 document. In order to help ensure interoperability, the XMPP 745 Registrar function of the XMPP Standards Foundation maintains a 746 registry of query types and keys that can be used in the query 747 components of XMPP URIs and IRIs, located at 748 . 750 5. Security Considerations 752 Providing an interface to XMPP services from non-native applications 753 introduces new security concerns. The security considerations 754 discussed in [IRI], [URI], and [XMPP-CORE] apply to XMPP IRIs, and 755 the security considerations discussed in [URI] and [XMPP-CORE] apply 756 to XMPP URIs. In accordance with Section 2.7 of [URI-SCHEMES] and 757 Section 7 of [URI], particular security considerations are specified 758 in the following sections. 760 5.1. Reliability and Consistency 762 Given that XMPP addresses of the form node@domain.tld are typically 763 created via registration at an XMPP server or provisioned by an 764 administrator of such a server, it is possible that such addresses 765 may also be unregistered or deprovisioned. Therefore, the XMPP IRI/ 766 URI that identifies such an XMPP address may not reliably and 767 consistently be associated with the same principal, account owner, 768 application, or device. 770 XMPP addresses of the form node@domain.tld/resource are typically 771 even more ephemeral (since a given XMPP resource identifier is 772 typically associated with a particular, temporary session of an XMPP 773 client at an XMPP server). Therefore, the XMPP IRI/URI that 774 identifies such an XMPP address probably will not reliably and 775 consistently be associated with the same session. However, the 776 procedures specified in Section 10 of [XMPP-CORE] effectively 777 eliminate any potential confusion that might be introduced by the 778 lack of reliability and consistency for the XMPP IRI/URI that 779 identifies such an XMPP address. 781 XMPP addresses of the form domain.tld are typically long-lived XMPP 782 servers or associated services; although naturally it is possible for 783 server or service administrators to de-commission the server or 784 service at any time, typically the IRIs/URIs that identify such 785 servers or services are the most reliable and consistent of XMPP 786 IRIs/URIs. 788 XMPP addresses of the form domain.tld/resource are not yet common on 789 XMPP networks; however, the reliability and consistency of XMPP IRIs/ 790 URIs that identify such XMPP addresses would likely fall somewhere 791 between those that identify XMPP addresses of the form domain.tld and 792 those that identify XMPP addresses of the form node@domain.tld. 794 5.2. Malicious Construction 796 Malicious construction of XMPP IRIs/URIs is made less likely by the 797 prohibition on port numbers in XMPP IRIs/URIs (since port numbers are 798 to be discovered using [DNS-SRV] records, as specified in 799 [XMPP-CORE]). 801 5.3. Back-End Transcoding 803 Because the base XMPP protocol is designed to implement the exchange 804 of messages and presence information and not the retrieval of files 805 or invocation of similar system functions, it is deemed unlikely that 806 the use of XMPP IRIs/URIs would result in harmful dereferencing. 807 However, if an XMPP protocol extension defines methods for 808 information retrieval, it MUST define appropriate controls over 809 access to that information. In addition, XMPP servers SHOULD NOT 810 natively parse XMPP IRIs/URIs but instead SHOULD accept only the XML 811 wire protocol specified in [XMPP-CORE] and any desired extensions 812 thereto. 814 5.4. Sensitive Information 816 The ability to interact with XMPP entities via a web browser or other 817 non-native application may expose sensitive information (such as 818 support for particular XMPP application protocol extensions) and 819 thereby make it possible to launch attacks that are not possible or 820 that are unlikely on a native XMPP network. Due care must be taken 821 in deciding what information is appropriate for representation in 822 XMPP IRIs or URIs. 824 In particular, advertising XMPP IRIs/URIs in publicly accessible 825 locations (e.g., on websites) may make it easier for malicious users 826 to harvest XMPP addresses from the authority and path components of 827 XMPP IRIs/URIs and therefore to send unsolicited bulk communications 828 to the users or applications represented by those addresses. Due 829 care should be taken in balancing the benefits of open information 830 exchange against the potential costs of unwanted communications. 832 To help prevent leaking of sensitive information, passwords and other 833 user credentials are forbidden in the authority component of XMPP 834 IRIs/URIs; in fact they are not needed, since the fact that 835 authentication in XMPP occurs via [SASL] makes it possible to use the 836 SASL ANONYMOUS mechanism, if desired. 838 5.5. Semantic Attacks 840 Despite the existence of non-hierarchical URI schemes such as 841 [MAILTO], by association human users may expect all URIs to include 842 the "//" characters after the scheme name and ":" character. 843 However, in XMPP IRIs/URIs, the "//" characters precede the authority 844 component rather than the path component. Thus, 845 xmpp://guest@example.com indicates to authenticate as 846 "guest@example.com", whereas xmpp:guest@example.com identifies the 847 node "guest@example.com". Processing applications MUST clearly 848 differentiate between these forms, and user agents SHOULD discourage 849 human users from including the "//" characters in XMPP IRIs/URIs 850 since use of the authority component is envisioned to be helpful only 851 in specialized scenarios, not more generally. 853 5.6. Spoofing 855 The ability to include effectively the full range of Unicode 856 characters in an XMPP IRI may make it easier to execute certain forms 857 of address mimicking (also called "spoofing"). However, XMPP IRIs 858 are no different from other IRIs in this regard, and applications 859 that will present XMPP IRIs to human users must adhere to best 860 practices regarding address mimicking in order to help prevent 861 attacks that result from spoofed addresses (e.g., the phenomenon 862 known as "phishing"). For details, refer to the Security 863 Considerations of [IRI]. 865 6. Acknowledgements 867 Thanks to Martin Duerst, Lisa Dusseault, Frank Ellerman, Roy 868 Fielding, Joe Hildebrand, and Ralph Meijer for their comments. 870 7. References 872 7.1. Normative References 874 [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax 875 Specifications: ABNF", RFC 4234, October 2005. 877 [IRI] Duerst, M. and M. Suignard, "Internationalized Resource 878 Identifiers (IRIs)", RFC 3987, January 2005. 880 [TERMS] Bradner, S., "Key words for use in RFCs to Indicate 881 Requirement Levels", BCP 14, RFC 2119, March 1997. 883 [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 884 Resource Identifier (URI): Generic Syntax", STD 66, 885 RFC 3986, January 2005. 887 [XMPP-CORE] 888 Saint-Andre, P., "Extensible Messaging and Presence 889 Protocol (XMPP): Core", RFC 3920, October 2004. 891 7.2. Informative References 893 [CPIM] Peterson, J., "Common Profile for Instant Messaging 894 (CPIM)", RFC 3860, August 2004. 896 [CPP] Peterson, J., "Common Profile for Presence (CPP)", 897 RFC 3859, August 2004. 899 [DNS-SRV] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 900 specifying the location of services (DNS SRV)", RFC 2782, 901 February 2000. 903 [HTML] Raggett, D., "HTML 4.0 Specification", W3C REC REC-html40- 904 19980424, April 1998. 906 [HTTP-AUTH] 907 Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 908 Leach, P., Luotonen, A., and L. Stewart, "HTTP 909 Authentication: Basic and Digest Access Authentication", 910 RFC 2617, June 1999. 912 [IDNA] Faltstrom, P., Hoffman, P., and A. Costello, 913 "Internationalizing Domain Names in Applications (IDNA)", 914 RFC 3490, March 2003. 916 [XEP-0009] 917 Adams, D., "Jabber-RPC", XSF XEP 0009, February 2006. 919 [XEP-0030] 920 Hildebrand, J., Millard, P., Eatmon, R., and P. Saint- 921 Andre, "Service Discovery", XSF XEP 0030, February 2007. 923 [XEP-0045] 924 Saint-Andre, P., "Multi-User Chat", XSF XEP 0045, 925 April 2007. 927 [XEP-0053] 928 Saint-Andre, P., "XMPP Registrar Function", XSF XEP 0053, 929 December 2006. 931 [XEP-0060] 932 Millard, P., Saint-Andre, P., and R. Meijer, "Publish- 933 Subscribe", XSF XEP 0060, September 2006. 935 [XEP-0072] 936 Forno, F. and P. Saint-Andre, "SOAP Over XMPP", XSF 937 XEP 0072, December 2005. 939 [XEP-0077] 940 Saint-Andre, P., "In-Band Registration", XSF XEP 0077, 941 January 2006. 943 [XEP-0147] 944 Saint-Andre, P., "XMPP URI Scheme Query Components", XSF 945 XEP 0147, September 2006. 947 [MAILTO] Hoffman, P., Masinter, L., and J. Zawinski, "The mailto 948 URL scheme", RFC 2368, July 1998. 950 [MIME] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 951 Extensions (MIME) Part Two: Media Types", RFC 2046, 952 November 1996. 954 [SASL] Melnikov, A. and K. Zeilenga, "Simple Authentication and 955 Security Layer (SASL)", RFC 4422, June 2006. 957 [STRINGPREP] 958 Hoffman, P. and M. Blanchet, "Preparation of 959 Internationalized Strings ("STRINGPREP")", RFC 3454, 960 December 2002. 962 [UNICODE] The Unicode Consortium, "The Unicode Standard, Version 963 3.2.0", 2000. 965 The Unicode Standard, Version 3.2.0 is defined by The 966 Unicode Standard, Version 3.0 (Reading, MA, Addison- 967 Wesley, 2000. ISBN 0-201-61633-5), as amended by the 968 Unicode Standard Annex #27: Unicode 3.1 969 (http://www.unicode.org/reports/tr27/) and by the Unicode 970 Standard Annex #28: Unicode 3.2 971 (http://www.unicode.org/reports/tr28/). 973 [URI-SCHEMES] 974 Hansen, T., Hardie, T., and L. Masinter, "Guidelines and 975 Registration Procedures for New URI Schemes", RFC 4395, 976 February 2006. 978 [US-ASCII] 979 American National Standards Institute, "Coded Character 980 Set - 7-bit American Standard Code for Information 981 Interchange", ANSI X3.4, 1986. 983 [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 984 10646", STD 63, RFC 3629, November 2003. 986 [XMPP-IM] Saint-Andre, P., "Extensible Messaging and Presence 987 Protocol (XMPP): Instant Messaging and Presence", 988 RFC 3921, October 2004. 990 Appendix A. Differences From RFC 4622 992 Several errors were found in RFC 4622. This document corrects those 993 errors. The resulting differences from RFC 4622 are as follows: 995 o Specified that the characters "[", "\", "]", "^", "`", "{", "|", 996 and "}" are allowed in XMPP node identifiers but not allowed in 997 IRIs or URIs according to the sub-delims rule. 998 o Specified that the characters '"', "<", ">", "[", "\", "]", "^", 999 "`", "{", "|", and "}" are allowed in XMPP resource identifiers 1000 but not allowed in IRIs or URIs according to the pchar rule. 1001 o Specified that the foregoing characters must be percent-encoded 1002 when constructing an XMPP URI. 1003 o Corrected the ABNF accordingly. 1004 o Updated the examples accordingly. 1006 Author's Address 1008 Peter Saint-Andre 1009 XMPP Standards Foundation 1011 Email: stpeter@jabber.org 1012 URI: xmpp:stpeter@jabber.org 1014 Full Copyright Statement 1016 Copyright (C) The IETF Trust (2007). 1018 This document is subject to the rights, licenses and restrictions 1019 contained in BCP 78, and except as set forth therein, the authors 1020 retain all their rights. 1022 This document and the information contained herein are provided on an 1023 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1024 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1025 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1026 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1027 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1028 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1030 Intellectual Property 1032 The IETF takes no position regarding the validity or scope of any 1033 Intellectual Property Rights or other rights that might be claimed to 1034 pertain to the implementation or use of the technology described in 1035 this document or the extent to which any license under such rights 1036 might or might not be available; nor does it represent that it has 1037 made any independent effort to identify any such rights. Information 1038 on the procedures with respect to rights in RFC documents can be 1039 found in BCP 78 and BCP 79. 1041 Copies of IPR disclosures made to the IETF Secretariat and any 1042 assurances of licenses to be made available, or the result of an 1043 attempt made to obtain a general license or permission for the use of 1044 such proprietary rights by implementers or users of this 1045 specification can be obtained from the IETF on-line IPR repository at 1046 http://www.ietf.org/ipr. 1048 The IETF invites any interested party to bring to its attention any 1049 copyrights, patents or patent applications, or other proprietary 1050 rights that may cover technology that may be required to implement 1051 this standard. Please address the information to the IETF at 1052 ietf-ipr@ietf.org. 1054 Acknowledgment 1056 Funding for the RFC Editor function is provided by the IETF 1057 Administrative Support Activity (IASA).