xsf · iNPUTmice · Jun 3, 2024 · Jun 3, 2024
diff --git a/xep-0421.xml b/xep-0421.xml
@@ -30,6 +30,17 @@
     <email>[email protected]</email>
     <jid>[email protected]</jid>
   </author>
+  <revision>
+    <version>0.2.0</version>
+    <date>2024-05-28</date>
+    <initials>mw</initials>
+    <remark><ul>
+      <li>Make explicit that one can't just hash the real JID.</li>
+      <li>Expand security considerations.</li>
+      <li>Add schema.</li>
+      <li>Fix some examples captions and casing</li>
+    </ul></remark>
+  </revision>
   <revision>
     <version>0.1.0</version>
     <date>2019-08-20</date>
@@ -97,14 +108,14 @@
       attaches an &lt;occupant-id&gt; element to the presence sent to all
       occupants in the room.
     </p>
-    <example caption="Client sends a message"><![CDATA[
+    <example caption="Client joins a room"><![CDATA[
 <presence
     from='[email protected]/pda'
     id='n13mt3l'
     to='[email protected]/thirdwitch'>
   <x xmlns='http://jabber.org/protocol/muc'/>
 </presence>]]></example>
-    <example caption="Service Sends New Occupant's Presence to All Occupants"><![CDATA[
+    <example caption="Service sends new cccupant's presence to all occupants"><![CDATA[
 <presence
     from='[email protected]/thirdwitch'
     id='27C55F89-1C6A-459A-9EB5-77690145D624'
@@ -121,15 +132,15 @@
         &lt;occupant-id&gt; element to the message sent to all occupants in the
         room.
       </p>
-    <example caption="Occupant Sends a Message to All Occupants"><![CDATA[
+    <example caption="Client sends a message to all occupants"><![CDATA[
 <message
     from='[email protected]/pda'
     id='hysf1v37'
     to='[email protected]'
     type='groupchat'>
   <body>Harpier cries: 'tis time, 'tis time.</body>
 </message>]]></example>
-    <example caption="Service Reflects Message to All Occupants"><![CDATA[
+    <example caption="Service reflects message to all occupants"><![CDATA[
 <message
     from='[email protected]/thirdwitch'
     id='hysf1v37'
@@ -184,6 +195,9 @@
       SHOULD generate the identifier such that the occupant identifier of a user
       in one room of the service does not match the occupant identifier of the
       same user in another room of the same service.
+      To guarantee the anonymity property, the server MUST NOT generate an 
+      occupant identifier by only hashing the real bare JID using static,
+      guessable or discoverable parameters.
     </p>
     <p>
       The occupant identifier MUST have a maximum length of 128 characters. The
@@ -201,8 +215,25 @@
 <section1 topic='Security Considerations' anchor='security'>
   <p>
     If a MUC uses occupant identifiers, nickname changes will be visible to
-    all occupants of the room. Clients MAY warn users about this circumstance
-    before joining the room.
+    all occupants of the room. Clients may warn users about this circumstance
+    before joining the room or when changing the nickname.
+  </p>
+  <p>
+    When the MUC service does not support this specification, the server will
+    likely forward any &lt;occupant-id&gt; included in &lt;message&gt;s sent by
+    other room occupants and reflected by the MUC service. Receiving clients
+    must be careful to only process occupant identifiers if the MUC server
+    advertises support for this specification as described in the
+    <link url='#disco'>Discovering support</link> section.
+  </p>
+  <p>
+    The anonymity property of occupant identifiers is crucial to not
+    accidentally reveal an occupant's real bare JID to other room occupants.
+    Specifically, a simple hash over the occupant's real bare JID is not
+    sufficient as an occupant identifier, as unsalted hashes can be reversed
+    easily based on a dictionary of candidate JIDs. Review the
+    <link url='#id-generation'>Occupant ID generation</link> section for more
+    details.
   </p>
 </section1>
 <section1 topic='IANA Considerations' anchor='iana'>
@@ -216,4 +247,28 @@
     </ul>
   </section2>
 </section1>
+<section1 topic='XML Schema'>
+  <code><![CDATA[
+<?xml version='1.0' encoding='utf-8'?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           targetNamespace="urn:xmpp:occupant-id:0"
+           xmlns="urn:xmpp:occupant-id:0"
+           elementFormDefault="qualified">
+
+    <xs:element name="occupant-id">
+      <xs:complexType>
+        <xs:attribute name="id" type="OccupantIdentifier" use="required" />
+      </xs:complexType>
+    </xs:element>
+
+    <xs:simpleType name="OccupantIdentifier">
+        <xs:restriction base="xs:string">
+            <xs:minLength value="1"/>
+            <xs:maxLength value="128"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+</xs:schema>
+]]></code>
+</section1>
 </xep>