[xmpp] [Errata Held for Document Update] RFC6121 (5058)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 10 July 2017 20:30 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8054012ECCE; Mon, 10 Jul 2017 13:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Level:
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-LFlRD9YFlp; Mon, 10 Jul 2017 13:30:22 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97EDB129B36; Mon, 10 Jul 2017 13:30:22 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 08679B80D30; Mon, 10 Jul 2017 13:30:20 -0700 (PDT)
To: flo@geekplace.eu, ietf@stpeter.im
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: ben@nostrum.com, iesg@ietf.org, xmpp@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20170710203021.08679B80D30@rfc-editor.org>
Date: Mon, 10 Jul 2017 13:30:20 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/xmpp/9Llu58CsvPdbFOHSZjqdrzxzl94>
Subject: [xmpp] [Errata Held for Document Update] RFC6121 (5058)
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 20:30:24 -0000

The following errata report has been held for document update 
for RFC6121, "Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence". 

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5058

--------------------------------------
Status: Held for Document Update
Type: Technical

Reported by: Florian Schmaus <flo@geekplace.eu>
Date Reported: 2017-07-02
Held by: Ben Campbell (IESG)

Section: 2.1.6

Original Text
-------------
   2.  A receiving client MUST ignore the stanza unless it has no 'from'
       attribute (i.e., implicitly from the bare JID of the user's
       account) or it has a 'from' attribute whose value matches the
       user's bare JID <user@domainpart>.

Corrected Text
--------------
   2.  A receiving client MUST ignore the stanza unless it has no 'from'
       attribute (i.e., implicitly from the bare JID of the user's
       account) or it has a 'from' attribute whose value matches either
       the user's bare JID <user@domainpart> or the address of an entity
       authorized performing roster pushes.

Notes
-----
RFC 6121 § 2.1.6 2. specifies that roster pushes have to origin from the "user's account", i.e., no 'from' attribute or 'from' attribute matching the user's bare JID. However the Security Warning in the same section states that

      ... this specification allows entities other than the user's server to
      maintain roster information, which means that a roster push might
      include a 'from' address other than the bare JID of the user's
      account.  Therefore, the client MUST check the 'from' address to
      verify that the sender of the roster push is authorized to update
      the roster.

which contradicts what is specified in § 2.1.6 2.

Verifier note: This seems more than editorial, and probably needs some discussion about third party authorizations. I will set the status to "Held for Document Update"

--------------------------------------
RFC6121 (draft-ietf-xmpp-3921bis-20)
--------------------------------------
Title               : Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence
Publication Date    : March 2011
Author(s)           : P. Saint-Andre
Category            : PROPOSED STANDARD
Source              : Extensible Messaging and Presence Protocol RAI
Area                : Real-time Applications and Infrastructure
Stream              : IETF
Verifying Party     : IESG