XEP-0398: explain copy vs inject on access

add security considerations for both methods

xep-0398.xml

@@ -10,7 +10,7 @@
   <abstract>This specification describes a method for using PEP based avatars and vCard based avatars in parallel by having the user’s server do a conversion between the two.</abstract>
   &LEGALNOTICE;
   <number>0398</number>
-  <status>Deferred</status>
+  <status>Experimental</status>
   <lastcall>2020-02-26</lastcall>
   <type>Standards Track</type>
   <sig>Standards</sig>
@@ -29,6 +29,17 @@
     <email>[email protected]</email>
     <jid>[email protected]</jid>
   </author>
+  <revision>
+    <version>0.3.0</version>
+    <date>2024-03-08</date>
+    <initials>dg</initials>
+    <remark>
+      <ul>
+        <li>Add text to explain that both <em>copy on publication</em> and <em>inject PEP avatar into vCard response</em> are valid implementations.</li>
+        <li>Add Security Considerations for both variants</li>
+      </ul>
+    </remark>
+  </revision>
   <revision>
     <version>0.2.1</version>
     <date>2018-08-27</date>
@@ -107,12 +118,18 @@
   <p>The hash MUST also be injected into directed presences such as MUC joins</p>
 </section1>
 <section1 topic='Implementation Notes' anchor='impl'>
-  <p>Implementing clients SHOULD use the more efficient <cite>XEP-0084</cite> to access their own avatar storage and implement <cite>XEP-0153</cite> only to download avatars from other entities if they do not have mutual presence subscription with said entity. (For example participants in a Multi-User Chat.)</p>
-  <p>Services will inject the hash in directed presences automatically but will not resend the presence if the avatar gets updated. Thus clients MAY resend directed available presence to all Multi-User Chats after receiving a 'urn:xmpp:avatar:metadata' update notification. The service will then inject an updated version of the hash. To avoid sending unnecassary presence updates, resending should only occur if the service annouces the 'urn:xmpp:pep-vcard-conversion:0' feature.</p>
+  <section2 topic='Client' anchor='impl-client'>
+    <p>Implementing clients SHOULD use the more efficient <cite>XEP-0084</cite> to access their own avatar storage and implement <cite>XEP-0153</cite> only to download avatars from other entities if they do not have mutual presence subscription with said entity. (For example participants in a Multi-User Chat.)</p>
+    <p>Services will inject the hash in directed presences automatically but will not resend the presence if the avatar gets updated. Thus clients MAY resend directed available presence to all Multi-User Chats after receiving a 'urn:xmpp:avatar:metadata' update notification. The service will then inject an updated version of the hash. To avoid sending unnecassary presence updates, resending should only occur if the service annouces the 'urn:xmpp:pep-vcard-conversion:0' feature.</p>
+  </section2>
+  <section2 topic='Server' anchor='impl-server'>
+    <p>While this specification is worded in a way that implies PEP and vCard are two different storages and a publication to one copies the avatar to another an alternative implementation, that also satisfies the requirements, is one that dynamically injects the PEP avatar into the vCard upon request. If this approach is taken services SHOULD check if the requestor of the vCard has access to the PEP nodes.</p>
+  </section2>
 </section1>
 <section1 topic='Security Considerations' anchor='security'>
-  <p><cite>XEP-0084</cite> has a default access model that only allows entities with mutual presence subscription to access the published avatar. <cite>XEP-0153</cite> has no access control at all. Clients that discover the disco feature 'urn:xmpp:pep-vcard-conversion:0' on the account MAY warn users that uploading an avatar will make that avatar accessible to anyone who knows the Jabber ID.</p>
-  <p>In the future services MAY decide to perform PEP to vCard conversion only if the access model of the 'urn:xmpp:avatar:data' node has been set to 'open' as described in &xep0060;. However the ability to change the access model of nodes isn’t widely implemented yet and thus this paragraph exists only to act as a reminder that the privacy implications described in the previous paragraph can be avoided</p>
+  <p>Services that copy the avatar from PEP to vCard upon publication SHOULD perform conversion only if the access model of the 'urn:xmpp:avatar:data' node has been set to 'open' as described in &xep0060;.</p>
+  <p>Services that dynamically inject the PEP avatar into a vCard response SHOULD check if the entity that requested the vCard has access to both PEP nodes. This can be the case if the access model has been set top 'open' or if the requesting entity has a presence subscription of the owner.</p>
+  <p>When this specification was first drafted changing the access model of a PEP node was a multi-step process. Therefor some implementations did copy the avatar from PEP to vCard without any access control. Until those implementations go away clients that discover the disco feature 'urn:xmpp:pep-vcard-conversion:0' on the account MAY warn users that uploading an avatar will make that avatar accessible to anyone who knows the Jabber ID.</p>
 </section1>
 <section1 topic='IANA Considerations' anchor='iana'>
   <p>This document requires no interaction with the Internet Assigned Numbers Authority (IANA).</p>
@@ -123,9 +140,6 @@
     <li>urn:xmpp:pep-vcard-conversion:0</li>
   </ul>
 </section1>
-<section1 topic='XML Schema' anchor='schema'>
-  <p>tbd</p>
-</section1>
 <section1 topic='Acknowledgements' anchor='ack'>
   <p>Special thanks to Evgeny Khramtsov who implemented what is now written down as a XEP in ejabberd and created the inspiration for this XEP.</p>
 </section1>