diff options
Diffstat (limited to 'doc/rfc/rfc2779.txt')
-rw-r--r-- | doc/rfc/rfc2779.txt | 1459 |
1 files changed, 1459 insertions, 0 deletions
diff --git a/doc/rfc/rfc2779.txt b/doc/rfc/rfc2779.txt new file mode 100644 index 0000000..dbe89d1 --- /dev/null +++ b/doc/rfc/rfc2779.txt @@ -0,0 +1,1459 @@ + + + + + + +Network Working Group M. Day +Request for Comments: 2779 Lotus +Category: Informational S. Aggarwal + Microsoft + G. Mohr + Activerse + J. Vincent + Into Networks + February 2000 + + + Instant Messaging / Presence Protocol Requirements + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2000). All Rights Reserved. + +Abstract + + Presence and Instant Messaging have recently emerged as a new medium + of communications over the Internet. Presence is a means for + finding, retrieving, and subscribing to changes in the presence + information (e.g. "online" or "offline") of other users. Instant + messaging is a means for sending small, simple messages that are + delivered immediately to online users. + + Applications of presence and instant messaging currently use + independent, non-standard and non-interoperable protocols developed + by various vendors. The goal of the Instant Messaging and Presence + Protocol (IMPP) Working Group is to define a standard protocol so + that independently developed applications of instant messaging and/or + presence can interoperate across the Internet. This document defines + a minimal set of requirements that IMPP must meet. + + + + + + + + + + + + +Day, et al. Informational [Page 1] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + +Table of Contents + + 1. Terminology................................................... 3 + 2. Shared Requirements........................................... 4 + 2.1. Namespace and Administration............................... 5 + 2.2. Scalability................................................ 5 + 2.3. Access Control............................................. 6 + 2.4. Network Topology........................................... 6 + 2.5. Message Encryption and Authentication...................... 7 + 3. Additional Requirements for PRESENCE INFORMATION.............. 7 + 3.1. Common Presence Format..................................... 7 + 3.2. Presence Lookup and Notification........................... 8 + 3.3. Presence Caching and Replication........................... 8 + 3.4. Performance................................................ 9 + 4. Additional Requirements for INSTANT MESSAGES.................. 9 + 4.1. Common Message Format...................................... 9 + 4.2. Reliability................................................ 10 + 4.3. Performance................................................ 10 + 4.4. Presence Format............................................ 10 + 5. Security Considerations....................................... 11 + 5.1. Requirements related to SUBSCRIPTIONS...................... 11 + 5.2. Requirements related to NOTIFICATION....................... 12 + 5.3. Requirements related to receiving a NOTIFICATION........... 13 + 5.4. Requirements related to INSTANT MESSAGES................... 13 + 6. References.................................................... 14 + 7. Authors' Addresses............................................ 15 + 8. Appendix: Security Expectations and Deriving Requirements..... 16 + 8.1. Presence Information....................................... 16 + 8.1.1. Subscription............................................ 16 + 8.1.2. Publication............................................. 19 + 8.1.3. Publication for Notification............................ 19 + 8.1.4. Receiving a Notification................................ 20 + 8.2. Instant Messaging.......................................... 21 + 8.2.1. Named Instant Messaging................................. 21 + 8.2.2. Anonymous Instant Messaging............................. 23 + 8.2.3. Administrator Expectations.............................. 24 + Full Copyright Statement......................................... 26 + + + + + + + + + + + + + + +Day, et al. Informational [Page 2] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + +1. Terminology + + The following terms are defined in [RFC 2778] and are used with those + definitions in this document: + + ACCESS RULES + CLOSED + FETCHER + INSTANT INBOX + INSTANT MESSAGE + NOTIFICATION + OPEN + POLLER + PRESENCE INFORMATION + PRESENCE SERVICE + PRESENTITY + PRINCIPAL + PROXY + SERVER + STATUS + SUBSCRIBER + SUBSCRIPTION + WATCHER + + The terms MUST and SHOULD are used in the following sense while + specifying requirements: + + MUST: A proposed solution will have to meet this requirement. + SHOULD: A proposed solution may choose not to meet this requirement. + + Note that this usage of MUST and SHOULD differs from that of RFC + 2119. + + Additionally, the following terms are used in this document and + defined here: + + ADMINISTRATOR: A PRINCIPAL with authority over local computer and + network resources, who manages local DOMAINS or FIREWALLS. For + security and other purposes, an ADMINISTRATOR often needs or wants to + impose restrictions on network usage based on traffic type, content, + volume, or endpoints. A PRINCIPAL's ADMINISTRATOR has authority over + some or all of that PRINCIPAL's computer and network resources. + + DOMAIN: A portion of a NAMESPACE. + + ENTITY: Any of PRESENTITY, SUBSCRIBER, FETCHER, POLLER, or WATCHER + (all defined in [RFC 2778]). + + + + +Day, et al. Informational [Page 3] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + FIREWALL: A point of administrative control over connectivity. + Depending on the policies being enforced, parties may need to take + unusual measures to establish communications through the FIREWALL. + + IDENTIFIER: A means of indicating a point of contact, intended for + public use such as on a business card. Telephone numbers, email + addresses, and typical home page URLs are all examples of IDENTIFIERS + in other systems. Numeric IP addresses like 10.0.0.26 are not, and + neither are URLs containing numerous CGI parameters or long arbitrary + identifiers. + + INTENDED RECIPIENT: The PRINCIPAL to whom the sender of an INSTANT + MESSAGE is sending it. + + NAMESPACE: The system that maps from a name of an ENTITY to the + concrete implementation of that ENTITY. A NAMESPACE may be composed + of a number of distinct DOMAINS. + + OUT OF CONTACT: A situation in which some ENTITY and the PRESENCE + SERVICE cannot communicate. + + SUCCESSFUL DELIVERY: A situation in which an INSTANT MESSAGE was + transmitted to an INSTANT INBOX for the INTENDED RECIPIENT, and the + INSTANT INBOX acknowledged its receipt. SUCCESSFUL DELIVERY usually + also implies that an INBOX USER AGENT has handled the message in a + way chosen by the PRINCIPAL. However, SUCCESSFUL DELIVERY does not + imply that the message was actually seen by that PRINCIPAL. + +2. Shared Requirements + + This section describes non-security requirements that are common to + both an PRESENCE SERVICE and an INSTANT MESSAGE SERVICE. Section 6 + describes requirements specific to a PRESENCE SERVICE, while Section + 7 describes requirements specific to an INSTANT MESSAGE SERVICE. + Section 8 describes security considerations. The reader should note + that Section 11 is an appendix that provides historical context and + aids in tracing the origins of requirements in Section 8. Section 11 + is not, however, a statement of current IMPP requirements. + + It is expected that Presence and Instant Messaging services will be + particularly valuable to users over mobile IP wireless access + devices. Indeed the number of devices connected to the Internet via + wireless means is expected to grow substantially in the coming years. + It is not reasonable to assume that separate protocols will be + available for the wireless portions of the Internet. In addition, we + note that wireless infrastructure is maturing rapidly; the work + undertaken by this group should take into account the expected state + of the maturity of the technology in the time-frame in which the + + + +Day, et al. Informational [Page 4] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + Presence and Instant Messaging protocols are expected to be deployed. + + To this end, the protocols designed by this Working Group must be + suitable for operation in a context typically associated with mobile + wireless access devices, viz. high latency, low bandwidth and + possibly intermittent connectivity (which lead to a desire to + minimize round-trip delays), modest computing power, battery + constraints, small displays, etc. In particular, the protocols must + be designed to be reasonably efficient for small payloads. + +2.1. Namespace and Administration + + 2.1.1. The protocols MUST allow a PRESENCE SERVICE to be available + independent of whether an INSTANT MESSAGE SERVICE is available, and + vice-versa. + + 2.1.2. The protocols must not assume that an INSTANT INBOX is + necessarily reached by the same IDENTIFIER as that of a PRESENTITY. + Specifically, the protocols must assume that some INSTANT INBOXes may + have no associated PRESENTITIES, and vice versa. + + 2.1.3. The protocols MUST also allow an INSTANT INBOX to be reached + via the same IDENTIFIER as the IDENTIFIER of some PRESENTITY. + + 2.1.4. The administration and naming of ENTITIES within a given + DOMAIN MUST be able to operate independently of actions in any other + DOMAIN. + + 2.1.5. The protocol MUST allow for an arbitrary number of DOMAINS + within the NAMESPACE. + +2.2. Scalability + + 2.2.1. It MUST be possible for ENTITIES in one DOMAIN to interoperate + with ENTITIES in another DOMAIN, without the DOMAINS having + previously been aware of each other. + + The protocol MUST be capable of meeting its other functional and + performance requirements even when + + -- (2.2.2) there are millions of ENTITIES within a single DOMAIN. + + -- (2.2.3) there are millions of DOMAINS within the single + NAMESPACE. + + + + + + + +Day, et al. Informational [Page 5] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + -- (2.2.4) every single SUBSCRIBER has SUBSCRIPTIONS to hundreds + of PRESENTITIES. + + -- (2.2.5) hundreds of distinct SUBSCRIBERS have SUBSCRIPTIONS to + a single PRESENTITY. + + -- (2.2.6) every single SUBSCRIBER has SUBSCRIPTIONS to + PRESENTITIES in hundreds of distinct DOMAINS. + + These are protocol design goals; implementations may choose to place + lower limits. + +2.3. Access Control + + The PRINCIPAL controlling a PRESENTITY MUST be able to control + + -- (2.3.1) which WATCHERS can observe that PRESENTITY's PRESENCE + INFORMATION. + + -- (2.3.2) which WATCHERS can have SUBSCRIPTIONS to that + PRESENTITY's PRESENCE INFORMATION. + + -- (2.3.3) what PRESENCE INFORMATION a particular WATCHER will see + for that PRESENTITY, regardless of whether the WATCHER gets it + by fetching or NOTIFICATION. + + -- (2.3.4) which other PRINCIPALS, if any, can update the PRESENCE + INFORMATION of that PRESENTITY. + + The PRINCIPAL controlling an INSTANT INBOX MUST be able to control + + -- (2.3.5) which other PRINCIPALS, if any, can send INSTANT + MESSAGES to that INSTANT INBOX. + + -- (2.3.6) which other PRINCIPALS, if any, can read INSTANT + MESSAGES from that INSTANT INBOX. + + 2.3.7. Access control MUST be independent of presence: the PRESENCE + SERVICE MUST be able to make access control decisions even when the + PRESENTITY is OUT OF CONTACT. + +2.4. Network Topology + + Note that intermediaries such as PROXIES may be necessitated between + IP and non-IP networks, and by an end-user's desire to provide + anonymity and hide their IP address. + + + + + +Day, et al. Informational [Page 6] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 2.4.1. The protocol MUST allow the creation of a SUBSCRIPTION both + directly and via intermediaries, such as PROXIES. + + 2.4.2. The protocol MUST allow the sending of a NOTIFICATION both + directly and via intermediaries, such as PROXIES. + + 2.4.3. The protocol MUST allow the sending of an INSTANT MESSAGE both + directly and via intermediaries, such as PROXIES. + + 2.4.4. The protocol proxying facilities and transport practices MUST + allow ADMINISTRATORS ways to enable and disable protocol activity + through existing and commonly-deployed FIREWALLS. The protocol MUST + specify how it can be effectively filtered by such FIREWALLS. + +2.5. Message Encryption and Authentication + + 2.5.1. The protocol MUST provide means to ensure confidence that a + received message (NOTIFICATION or INSTANT MESSAGE) has not been + corrupted or tampered with. + + 2.5.2. The protocol MUST provide means to ensure confidence that a + received message (NOTIFICATION or INSTANT MESSAGE) has not been + recorded and played back by an adversary. + + 2.5.3. The protocol MUST provide means to ensure that a sent message + (NOTIFICATION or INSTANT MESSAGE) is only readable by ENTITIES that + the sender allows. + + 2.5.4. The protocol MUST allow any client to use the means to ensure + non-corruption, non-playback, and privacy, but the protocol MUST NOT + require that all clients use these means at all times. + +3. Additional Requirements for PRESENCE INFORMATION + + The requirements in section 6 are applicable only to PRESENCE + INFORMATION and not to INSTANT MESSAGES. Additional constraints on + PRESENCE INFORMATION in a system supporting INSTANT MESSAGES appear + in Section 7.4. + +3.1. Common Presence Format + + 3.1.1. All ENTITIES MUST produce and consume at least a common base + format for PRESENCE INFORMATION. + + 3.1.2. The common presence format MUST include a means to uniquely + identify the PRESENTITY whose PRESENCE INFORMATION is reported. + + + + + +Day, et al. Informational [Page 7] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 3.1.3. The common presence format MUST include a means to encapsulate + contact information for the PRESENTITY's PRINCIPAL (if applicable), + such as email address, telephone number, postal address, or the like. + + 3.1.4. There MUST be a means of extending the common presence format + to represent additional information not included in the common + format, without undermining or rendering invalid the fields of the + common format. + + 3.1.5. The working group must define the extension and registration + mechanisms for presence information schema, including new STATUS + conditions and new forms for OTHER PRESENCE MARKUP. + + 3.1.6. The presence format SHOULD be based on IETF standards such as + vCard [RFC 2426] if possible. + +3.2. Presence Lookup and Notification + + 3.2.1. A FETCHER MUST be able to fetch a PRESENTITY's PRESENCE + INFORMATION even when the PRESENTITY is OUT OF CONTACT. + + 3.2.2. A SUBSCRIBER MUST be able to request a SUBSCRIPTION to a + PRESENTITY's PRESENCE INFORMATION, even when the PRESENTITY is OUT OF + CONTACT. + + 3.2.3. If the PRESENCE SERVICE has SUBSCRIPTIONS for a PRESENTITY's + PRESENCE INFORMATION, and that PRESENCE INFORMATION changes, the + PRESENCE SERVICE MUST deliver a NOTIFICATION to each SUBSCRIBER, + unless prevented by the PRESENTITY's ACCESS RULES. + + 3.2.4. The protocol MUST provide a mechanism for detecting when a + PRESENTITY or SUBSCRIBER has gone OUT OF CONTACT. + + 3.2.5. The protocol MUST NOT depend on a PRESENTITY or SUBSCRIBER + gracefully telling the service that it will no longer be in + communication, since a PRESENTITY or SUBSCRIBER may go OUT OF CONTACT + due to unanticipated failures. + +3.3. Presence Caching and Replication + + 3.3.1. The protocol MUST include mechanisms to allow PRESENCE + INFORMATION to be cached. + + 3.3.2. The protocol MUST include mechanisms to allow cached PRESENCE + INFORMATION to be updated when the master copy changes. + + + + + + +Day, et al. Informational [Page 8] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 3.3.3 The protocol caching facilities MUST NOT circumvent established + ACCESS RULES or restrict choice of authentication/encryption + mechanisms. + +3.4 Performance + + 3.4.1 When a PRESENTITY changes its PRESENCE INFORMATION, any + SUBSCRIBER to that information MUST be notified of the changed + information rapidly, except when such notification is entirely + prevented by ACCESS RULES. This requirement is met if each + SUBSCRIBER's NOTIFICATION is transported as rapidly as an INSTANT + MESSAGE would be transported to an INSTANT INBOX. + +4. Additional Requirements for INSTANT MESSAGES + + The requirements in section 4 are applicable only to INSTANT MESSAGES + and not to PRESENCE INFORMATION, with the exception of Section 4.4. + Section 4.4 describes constraints on PRESENCE INFORMATION that are + relevant only to systems that support both INSTANT MESSAGES and + PRESENCE INFORMATION. + +4.1. Common Message Format + + 4.1.1. All ENTITIES sending and receiving INSTANT MESSAGES MUST + implement at least a common base format for INSTANT MESSAGES. + + 4.1.2. The common base format for an INSTANT MESSAGE MUST identify + the sender and intended recipient. + + 4.1.3. The common message format MUST include a return address for + the receiver to reply to the sender with another INSTANT MESSAGE. + + 4.1.4. The common message format SHOULD include standard forms of + addresses or contact means for media other than INSTANT MESSAGES, + such as telephone numbers or email addresses. + + 4.1.5. The common message format MUST permit the encoding and + identification of the message payload to allow for non-ASCII or + encrypted content. + + 4.1.6. The protocol must reflect best current practices related to + internationalization. + + 4.1.7. The protocol must reflect best current practices related to + accessibility. + + + + + + +Day, et al. Informational [Page 9] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 4.1.8. The working group MUST define the extension and registration + mechanisms for the message format, including new fields and new + schemes for INSTANT INBOX ADDRESSES. + + 4.1.9. The working group MUST determine whether the common message + format includes fields for numbering or identifying messages. If + there are such fields, the working group MUST define the scope within + which such identifiers are unique and the acceptable means of + generating such identifiers. + + 4.1.10. The common message format SHOULD be based on IETF-standard + MIME [RFC 2045]. + +4.2. Reliability + + 4.2.1. The protocol MUST include mechanisms so that a sender can be + informed of the SUCCESSFUL DELIVERY of an INSTANT MESSAGE or reasons + for failure. The working group must determine what mechanisms apply + when final delivery status is unknown, such as when a message is + relayed to non-IMPP systems. + +4.3 Performance + + 4.3.1. The transport of INSTANT MESSAGES MUST be sufficiently rapid + to allow for comfortable conversational exchanges of short messages. + +4.4 Presence Format + + 4.4.1. The common presence format MUST define a minimum standard + presence schema suitable for INSTANT MESSAGE SERVICES. + + 4.4.2. When used in a system supporting INSTANT MESSAGES, the common + presence format MUST include a means to represent the STATUS + conditions OPEN and CLOSED. + + 4.4.3. The STATUS conditions OPEN and CLOSED may also be applied to + messaging or communication modes other than INSTANT MESSAGE SERVICES. + + + + + + + + + + + + + + +Day, et al. Informational [Page 10] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + +5. Security Considerations + + Security considerations are addressed in section 2.3, Access Control, + and section 2.5, Message authentication and encryption. + + This section describes further security-related requirements that the + protocol must meet. + + The security requirements were derived from a set of all-encompassing + "security expectations" that were then evaluated for practicality and + implementability and translated into requirements. In the appendix, + we describe the expectations and the process used to transform them + into requirements. In this section, we simply list the consolidated + set of derived requirements. + + Note that in the requirements, ADMINISTRATORs may have privileges + beyond those allowed to PRINCIPALs referred to in the requirements. + (Unless otherwise noted, the individual expectations specifically + refer to PRINCIPALs.) It is up to individual implementations to + control administrative access and implement the security privileges + of ADMINISTRATORs without compromising the requirements made on + PRINCIPALs. + + Unless noted otherwise, A,B,C are all names of non-ADMINISTRATOR + PRINCIPALS. + +5.1. Requirements related to SUBSCRIPTIONS + + When A establishes a SUBSCRIPTION to B's PRESENCE INFORMATION: + + 5.1.1. The protocol MUST provide A means of identifying and + authenticating that the PRESENTITY subscribed to is controlled by B. + + 5.1.2. If A so chooses, the protocol SHOULD NOT make A's SUBSCRIPTION + to B obvious to a third party C. + + 5.1.3. The protocol MUST provide B with means of allowing an + unauthenticated subscription by A. + + 5.1.4. The protocol MUST provide A means of verifying the accurate + receipt of the content B chooses to disclose to A. + + 5.1.5. B MUST inform A if B refuses A's SUBSCRIPTION. Note that B may + choose to accept A's SUBSCRIPTION, but fail to deliver any + information to it (so-called "polite blocking"). See 5.1.15. + + 5.1.6. The protocol MUST NOT let any third party C force A to + subscribe to B's PRESENCE INFORMATION without A's consent. + + + +Day, et al. Informational [Page 11] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 5.1.7. A MUST be able to cancel her SUBSCRIPTION to B's PRESENCE + INFORMATION at any time and for any reason. When A does so, the + PRESENCE SERVICE stops informing A of changes to B's PRESENCE + INFORMATION. + + 5.1.8. The protocol MUST NOT let an unauthorized party C cancel A's + SUBSCRIPTION to B. + + 5.1.9. If A's SUBSCRIPTION to B is cancelled, the service SHOULD + inform A of the cancellation. + + 5.1.10. A SHOULD be able to determine the status of A's SUBSCRIPTION + to B, at any time. + + 5.1.11. The protocol MUST provide B means of learning about A's + SUBSCRIPTION to B, both at the time of establishing the SUBSCRIPTION + and afterwards. + + 5.1.12. The protocol MUST provide B means of identifying and + authenticating the SUBSCRIBER's PRINCIPAL, A. + + 5.1.13. It MUST be possible for B to prevent any particular PRINCIPAL + from subscribing. + + 5.1.14. It MUST be possible for B to prevent anonymous PRINCIPALS + from subscribing. + + 5.1.15. It MUST be possible for B to configure the PRESENCE SERVICE + to deny A's subscription while appearing to A as if the subscription + has been granted (this is sometimes called "polite blocking"). The + protocol MUST NOT mandate the PRESENCE SERVICE to service + subscriptions that are treated in this manner. + + 5.1.16. B MUST be able to cancel A's subscription at will. + + 5.1.17. The protocol MUST NOT require A to reveal A's IP address to + B. + + 5.1.18 The protocol MUST NOT require B to reveal B's IP address to A. + +5.2. Requirements related to NOTIFICATION + + When a PRINCIPAL B publishes PRESENCE INFORMATION for NOTIFICATION to + another PRINCIPAL A: + + 5.2.1. The protocol MUST provide means of ensuring that only the + PRINCIPAL A being sent the NOTIFICATION by B can read the + NOTIFICATION. + + + +Day, et al. Informational [Page 12] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 5.2.2. A should receive all NOTIFICATIONS intended for her. + + 5.2.3. It MUST be possible for B to prevent A from receiving + notifications, even if A is ordinarily permitted to see such + notifications. It MUST be possible for B to, at its choosing, notify + different subscribers differently, through different notification + mechanisms or through publishing different content. This is a + variation on "polite blocking". + + 5.2.4. The protocol MUST provide means of protecting B from another + PRINCIPAL C "spoofing" notification messages about B. + + 5.2.5. The protocol MUST NOT require that A reveal A's IP address to + B. + + 5.2.6. The protocol MUST NOT require that B reveal B's IP address to + A. + +5.3. Requirements related to receiving a NOTIFICATION + + When a PRINCIPAL A receives a notification message from another + principal B, conveying PRESENCE INFORMATION, + + 5.3.1. The protocol MUST provide A means of verifying that the + presence information is accurate, as sent by B. + + 5.3.2. The protocol MUST ensure that A is only sent NOTIFICATIONS + from entities she has subscribed to. + + 5.3.3. The protocol MUST provide A means of verifying that the + notification was sent by B. + +5.4. Requirements related to INSTANT MESSAGES + + When a user A sends an INSTANT MESSAGE M to another user B, + + 5.4.1. A MUST receive confirmation of non-delivery. + + 5.4.2. If M is delivered, B MUST receive the message only once. + + 5.4.3. The protocol MUST provide B means of verifying that A sent the + message. + + 5.4.4. B MUST be able to reply to the message via another instant + message. + + 5.4.5. The protocol MUST NOT always require A to reveal A's IP + address, for A to send an instant message. + + + +Day, et al. Informational [Page 13] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + 5.4.6. The protocol MUST provide A means of ensuring that no other + PRINCIPAL C can see the content of M. + + 5.4.7. The protocol MUST provide A means of ensuring that no other + PRINCIPAL C can tamper with M, and B means to verify that no + tampering has occurred. + + 5.4.8. B must be able to read M. + + 5.4.9. The protocol MUST allow A to sign the message, using existing + standards for digital signatures. + + 5.4.10. B MUST be able to prevent A from sending him messages + +6. References + + [RFC 2778] Day, M., Rosenberg, J. and H. Sagano, "A Model for + Presence and Instant Messaging", RFC 2778, February 2000. + + [RFC 2426] Dawson, F. and T. Howes, "vCard MIME Directory Profile", + RFC 2426, September 1998. + + [RFC 2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) - Part One: Format of Internet Message + Bodies", RFC 2045, November 1996. + + [RFC 2119] Bradner, S., "Key Words for Use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + + + + + + + + + + + + + + + + + + + + + + +Day, et al. Informational [Page 14] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + +7. Authors' Addresses + + Mark Day + SightPath, Inc. + 135 Beaver Street + Waltham, MA 02452 + USA + + EMail: mday@alum.mit.edu + (Formerly Mark_Day@lotus.com) + + + Sonu Aggarwal + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + USA + + EMail: sonuag@microsoft.com + + + Gordon Mohr + + EMail: gojomo@usa.net + (Formerly gojomo@activerse.com) + + + Jesse Vincent + Into Networks, Inc. + 150 Cambridgepark Drive + Cambridge, MA 02140 + USA + + EMail: jesse@intonet.com + (Formerly jvincent@microsoft.com) + + + + + + + + + + + + + + + + +Day, et al. Informational [Page 15] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + +8. Appendix: Security Expectations and Deriving Requirements + + This appendix is based on the security expectations discussed on the + impp mailing list and assembled by Jesse Vincent. The original form + of numbering has been preserved in this appendix (so there are + several different items labeled B1, for example). The derived + requirements have new numbers that are consistent with the main body + of the document. This appendix is included to provide a connection + from discussions on the list to the requirements of Section 8, but it + is not intended to introduce any new requirements beyond those + presented in Sections 5 through 8. + +8.1. PRESENCE INFORMATION + + In the case of PRESENCE INFORMATION, the controlling PRINCIPAL's + privacy interests are paramount; we agreed that "polite blocking" + (denying without saying that the subscription is denied, or providing + false information) should be possible. + + 8.1.1. Subscription + + When a user Alice subscribes to another person, Bob's presence info, + Alice expects: + + A1. the PRESENTITY's PRINCIPAL, B, is identifiable and authenticated + + Discussion: Stands as a requirement. Note that the protocol + should provide Alice the capability of authenticating, without + requiring that Alice authenticate every SUBSCRIPTION. This + caveat is made necessary by performance concerns, among others, + and applies to many of the other requirements derived below. + [Requirement 5.1.1] + + A2. no third party will know that A has subscribed to B. + + Discussion: This is somewhat unreasonable to enforce as is. For + example, in some topologies, nothing can prevent someone doing + traffic analysis to deduce that A has subscribed to B. We should + merely require that the protocol not expose subscription + information in any obvious manner. [Requirement 5.1.2] + + + + + + + + + + + +Day, et al. Informational [Page 16] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + A3. A has the capability to subscribe to B's presence without B's + knowledge, if B permits anonymous subscriptions. + + Discussion: An "anonymous subscription" above can have two + implications - (i) B may allow an unauthenticated subscription by + A, and (ii) B may be unaware of A's stated identity. Requirement + (i) is reasonable [Requirement 8.1.3], but (ii) doesn't appear to + be a core requirement -- it can be adequately simulated via a + subscription pseudonym. + + A4. A will accurately receive what B chooses to disclose to A + regarding B's presence. + + Discussion: Stands as a requirement, with the "optional" + caveat. [Requirement 8.1.4] + + A5. B will inform A if B refuses A's subscription + + Discussion: Stands as a requirement. [Requirement 5.1.5] + + A6. No third party, C can force A to subscribe to B's presence + without A's consent. + + Discussion: Stands as a requirement. [Requirement 5.1.6] + + A7. A can cancel her subscription to B's presence at any time and for + any reason. When A does so, she will receive no further information + about B's presence information. + + Discussion: This essentially stands. However, implementations + may have to contend with a timing window where A receives, after + sending her cancellation request, a notification sent by B before + B received the cancellation request. Therefore, the requirement + should focus on B's ceasing to send presence information, rather + than A's ceasing to receive it. [Requirement 5.1.7] + + A8. no third party, C, can cancel A's subscription to B. + + Discussion: Stands, although the administrative exception does + apply. [Requirement 5.1.8] + + A9. A is notified if her subscription to B is cancelled for any + reason. + + Discussion: Although the intent is reasonable, there are a number + of scenarios (e.g. overburdened server, clogged network, server + crash) where delivering a notification to A of the cancellation + is undesirable or impossible. Therefore, the service should make + + + +Day, et al. Informational [Page 17] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + an attempt to inform, but this is not required. [Requirement + 5.1.9] + + Bob expects: + + B1. B will be informed that A subscribed to B's presence information, + as long as A has not subscribed anonymously. + + Discussion: This essentially stands. However, B can also choose + to determine A's subscription after the fact. [Requirement + 5.1.10] + + B2. A is identifiable and authenticated. + + Discussion: This stands as a requirement. [Requirement 5.1.11] + + B3. B can prevent a particular user, D, from subscribing. + + Discussion: This stands as a requirement. [Requirement 5.1.12] + + B4. B can prevent anonymous users from subscribing. + + Discussion: This stands as a requirement. [Requirement 5.1.13] + + B5. B's presence information is not republished by A to a third + party, E, who does not. + + Discussion: This is practically impossible to enforce, so it is + omitted from the requirement set. + + B6. B can deny A's subscription without letting A know that she's + been blocked. + + Discussion: This "polite blocking" capability essentially stands; + accepting a "denied" subscription should bear no implication on + servicing it for status notifications. [Requirement 5.1.14] + + B7. B can cancel A's subscription at will. + + Discussion: Stands as a requirement. [Requirement 5.1.15] + + Charlie, bob's network administrator expects: + + C1. C knows who is subscribed to B at all times. + + Discussion: Administrators should be able to determine who is + subscribed, but needn't be continuously informed of the list of + subscribers. Also, in some cases user agents (e.g. proxies) may + + + +Day, et al. Informational [Page 18] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + have subscribed on behalf of users, and in these cases the + administrator can only determine the identity of these agents, + not their users. [Requirement 5.1.16] + + C2. C can manage all aspects of A's presence information. + + Discussion: This stands as a requirement. [Requirement 5.1.17] + + C3. C can control who can access A's presence information and + exchange instant messages with A. + + Discussion: This stands in principle, but C should be able to + waive these capabilities if C desires. [Requirement 5.1.18] + + 8.1.2. Publication + + The publisher of status information, Bob, expects: + + B1. That information about B is not provided to any entity without + B's knowledge and consent. + + Discussion: This is nearly impossible to accomplish, so it is + omitted from the requirements. + + 8.1.3. Publication for Notification + + When information is published for notification, B expects: + + B1. only a person being sent a notification, A, can read the + notification. + + Discussion: Stands as a requirement. [Requirement 5.2.1] + + B2. A reliably receives all notifications intended for her. + + Discussion: This stands, although "Reliably" is a little strong + (e.g. network outages, etc.). [Requirement 5.2.2] + + B3. B can prevent A from receiving notifications, even if A is + ordinarily permitted to see such notifications. This is a variation + on "polite blocking." + + Discussion: This stands as a requirement. Also incorporated into + this requirement is the notifications equivalent of the next + expectation, B4. [Requirement 5.2.3] + + + + + + +Day, et al. Informational [Page 19] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + B4. B can provide two interested parties A and E with different + status information at the same time. (B could represent the same + event differently to different people.) + + Discussion: This stands as a requirement; it has been + incorporated into the corresponding requirement for B3 above. + + B5. B expects that malicious C cannot spoof notification messages + about B. + + Discussion: Stands in principle, but it should be optional for B. + [Requirement 5.2.4] + + 8.1.4. Receiving a Notification + + When Alice receives a notification, the recipient, Alice, expects: + + A1. That the notification information is accurate, truthful. + + Discussion: Stands in principle, although being "truthful" can't + be a requirement, and the verification is optional for Alice. + [Requirement 5.3.1] + + A2. That information about subscriptions remains private; people do + not learn that A's subscription to B's information exists by watching + notifications occur. + + Discussion: This is omitted from the requirements, as traffic + analysis, even of encrypted traffic, can convey this information + in some situations. + + A3. That she only receives notifications of things she's subscribed + to. + + Discussion: Stands as a requirement. [Requirement 5.3.2] + + A4. Notifications come from the apparent sender, B. + + Discussion: Stands in principle, although the verification should + be optional for A. [Requirement 5.3.3] + + A5. A can tell the difference between a message generated by the + user, and a message legitimately generated by the agent on behalf of + the user. + + Discussion: This could be quite difficult to enforce and could + unduly restrict usage scenarios; this is omitted from the + requirements. + + + +Day, et al. Informational [Page 20] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + A6. That information given by agents on behalf of users can also be + expected to be truthful, complete, and legitimately offered; the user + permitted the agent to publish these notifications. + + Discussion: This is difficult to enforce and is omitted from the + requirements. + + A7. A can prove that a notification from B was delivered in a timely + fashion and can prove exactly how long the message took to be + delivered. + + Discussion: This is difficult to enforce and is omitted from the + requirements. For example, such proof may entail global time + synchronization mechanisms (since any system clocks have + associated unreliability), which is outside the scope of this + effort. + + A8. A can prove that B was indeed the sender of a given message. + + Discussion: This is a duplication of expectation A4 above and is + reflected in the corresponding requirement 5.3.3. + +8.2. INSTANT MESSAGEs + + 8.2.1. Named Instant Messaging + + When a user Alice sends an instant message M to another user Bob: + + Alice expects that she: + + A1. will receive notification of non-delivery + + Discussion: Stands as a requirement. [Requirement 5.4.1] + + Alice expects that Bob: + + B1. will receive the message + + Discussion: covered by A1 and is reflected in the corresponding + requirement 5.4.1. + + B2. will receive the message quickly + + Discussion: Stands as a requirement, although this is also + covered elsewhere (in the non-security requirements), so this is + omitted from the security requirements. + + + + + +Day, et al. Informational [Page 21] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + B3. will receive the message only once + + Discussion: Stands as a requirement. [Requirement 5.4.2] + + B4. will be able to verify that Alice sent the message + + Discussion: Stands as a requirement. [Requirement 5.4.3] + + B5. will not know whether there were BCCs + + Discussion: Emulating e-mail conventions and social protocols is + not a core goal of this effort, and therefore references to + standard mail fields are omitted from the requirements. + + B6. will be able to reply to the message + + Discussion: Stands in principle; the recipient should be able to + reply via an instant message. [Requirement 5.4.4] + + B7. will know if he was a bcc recipient + + Discussion: Omitted, as noted above. + + B8. will not be able to determine any information about A (such as + her location or IP address) without A's knowledge and consent. + + Discussion: "Any information about A" is too general; the + requirement should focus on IP address. Further, "without A's + knowledge and consent" may be overkill. [Requirement 5.4.5] + + Alice expects that no other user Charlie will be able to: + + C1. see the content of M + + Discussion: Stands in principle, although this should not be + mandated for all IM communication. [Requirement 5.4.6] + + C2. tamper with M + + Discussion: Stands, with the same caveat as above. + [Requirement 5.4.7] + + C3. know that M was sent + + Discussion: It is impossible to prevent traffic analysis, and + this is therefore omitted from the requirements. + + + + + +Day, et al. Informational [Page 22] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + When a user Bob receives an instant message M from another user + Alice: + + Bob expects that Bob: + + D1. will be able to read M + + Discussion: Stands as a requirement. [Requirement 5.4.8] + + D2. will be able to verify M's authenticity (both Temporal and the + sender's identity) + + Discussion: As noted earlier, it is not reasonable to directly + require temporal checks. The protocol should, however, allow + signing messages using existing standards for signing. + [Requirement 5.4.9] + + D3. will be able to verify M's integrity + + Discussion: Stands as a requirement. [Requirement 5.4.10] + + D4. will be able to prevent A from sending him future messages + + Discussion: Stands as a requirement. [Requirement 5.4.11] + + Bob expects that Alice: + + E1. intended to send the message to Bob + + Discussion: This is covered by the corresponding requirement + 5.4.6 for C1 above. + + E2. informed Bob of all CCs. + + Discussion: As noted earlier, references to cc:'s are omitted + from the requirements. + + 8.2.2. Anonymous Instant Messaging + + Discussion: Anonymous instant messaging, as in "hiding the + identity of the sender", is not deemed to be a core requirement + of the protocol and references to it are therefore omitted from + the requirements. Implementations may provide facilities for + anonymous messaging if they wish, in ways that are consistent + with the other requirements. + + When a user Alice sends an anonymous instant message to another user + Bob: + + + +Day, et al. Informational [Page 23] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + Alice expects that Bob: + + B1. will receive the message + + B2. will receive the message quickly + + B3. will receive the message only once + + AB4.1. cannot know Alice sent it + + AB4.2. will know that the IM is anonymous, and not from a specific + named user + + AB4.3 may not allow anonymous IMs + + B5. will not know whether there were BCCs + + B6. will be able to reply to the message + + Alice expects that she: + + C1. will receive notification of non-delivery + + AC2. will receive an error if the IM was refused + + Bob expects that he: + + D1. will be able to read M + + D2. will be able to verify M's authenticity (both temporal and the + sender's identity) + + D3. will be able to verify M's integrity + + AD4. will know if an IM was sent anonymously + + AD5. will be able to automatically discard anonymous IM if desired + + AD6. will be able to control whether an error is sent to Alice if M + is discarded. + + 8.2.3. Administrator Expectations + + Charlie, Alice's network administrator expects: + + C1. that C will be able to send A instant messages at any time. + + C2. that A will receive any message he sends while A is online. + + + +Day, et al. Informational [Page 24] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + + C3. that A will not be able to refuse delivery of any instant + messages sent by C. + + Discussion for C1-C3: It is not clear this needs to be specially + handled at the protocol level; Administrators may accomplish the + above objectives through other means. For example, an + administrator may send a message to a user through the normal + mechanisms. This is therefore omitted from the requirements. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Day, et al. Informational [Page 25] + +RFC 2779 Instant Messaging/Presence Protocol February 2000 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2000). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Day, et al. Informational [Page 26] + |