XEP-0220: Server Dialback

This specification defines the Server Dialback protocol, which is used between XMPP servers to provide identity verification. Server Dialback uses the Domain Name System (DNS) as the basis for verifying identity; the basic approach is that when a receiving server receives a server-to-server connection request from an originating server, it does not accept the request until it has verified a key with an authoritative server for the domain asserted by the originating server. Although Server Dialback does not provide strong authentication or trusted federation and although it is subject to DNS poisoning attacks, it has effectively prevented most instances of address spoofing on the XMPP network since its development in the year 2000.

NOTICE: This document is currently within Last Call or under consideration by the XMPP Council for advancement to the next stage in the XSF standards process.

1. Introduction
    1.1. Why Dialback?
    1.2. What Dialback Accomplishes
    1.3. When Dialback Is Used
    1.4. How Dialback Works
    1.5. Stream Reuse
2. Protocol
    2.1. Outgoing Connection
       2.1.1. Dialback Request and Response
       2.1.2. Verify Request and Response
    2.2. Incoming connection
       2.2.1. Dialback Request and Response
       2.2.2. Verify Request and Response
3. Security Considerations
4. IANA Considerations
5. XMPP Registrar Considerations
    5.1. Protocol Namespaces
6. XML Schema
    6.1. Dialback

Appendices
    A: Document Information
    B: Author Information
    C: Legal Notices
    D: Relation to XMPP
    E: Discussion Venue
    F: Requirements Conformance
    G: Notes
    H: Revision History

1. Introduction

1.1 Why Dialback?

When Jabber technologies were first developed in 1998, they were conceived of as a client-server system similar to email, wherein a client would connect to a server in order to communicate with other clients. Similarly, servers would connect with peer servers to provide inter-domain communication (often called "federation"). In a system that allows federation, it is important for a server to be able to determine the identity of a peer server; accepting a connection from any peer without determining its identity would result in the use of merely asserted identities and a completely uncontrolled approach to federation, which on the open Internet would rapidly devolve into chaos. Clearly such a state of affairs would be unsustainable for a network protocol aiming for widespread deployment.

Unfortunately, that was the state of affairs on the Jabber network during the earliest releases of the original jabberd [1] server codebase (up through the 1.0 release in May 2000). Therefore the open-source developer community designed a protocol ("Server Dialback") for weak identity verification based on the Domain Name System (DNS), built support for that protocol into the jabberd 1.2 server (released in October 2000), and mandated support for that protocol on the emerging Jabber server network.

When the core Jabber protocols were formalized by the XMPP Working Group of the Internet Engineering Task Force (IETF) [2] in 2002-2004, support for strong identity verification was added. That support takes the form of Transport Layer Security (TLS) for encryption of server-to-server XML streams and the Simple Authentication and Security Layer (SASL) for authentication of such streams, using digital certificates issued by trusted root certificate authorities (CAs). Documentation of TLS and SASL within XMPP is provided in XMPP Core [3]. However, the Server Dialback protocol is still in wide use, and probably will be for the foreseeable future given the difficulty (real or perceived) of obtaining digital certificates issued by common CAs.

Therefore it is important to maintain accurate documentation of the Server Dialback protocol. Such documentation was originally provided in RFC 3920 [4]. Although that documentation was removed from rfc3920bis [5], it is still provided in this specification for the sake of interoperability.

1.2 What Dialback Accomplishes

Server Dialback is a method for weak identify verification. Such verification depends on the Domain Name System (DNS) and the use of keys based on a shared secret known to all XMPP servers within a given trust domain.

Since October 2000, the use of Server Dialback has made it more difficult to spoof the hostnames of servers (and therefore the addresses of sent messages) on the XMPP network. However, Server Dialback does not provide authentication between servers and is not a security mechanism. Domains requiring high security are advised to use TLS and SASL with certificates issued by trusted roots.

Server Dialback is uni-directional, and results in weak identity verification for one XML stream in one direction. Because Server Dialback is not an authentication mechanism, mutual authentication is not possible via dialback. Therefore, Server Dialback must be completed in each direction in order to enable bi-directional communication between two domains.

Dialback does not verify that the IP address returned by a DNS lookup of the originating domain is the same as the source IP address of the incoming TCP connection. While this may often be true, not performing this check enables large deployments to separate incoming and outgoing message routing.

1.3 When Dialback Is Used

Server Dialback is typically used in two scenarios:

When a peer service does not support XMPP 1.0 as defined in RFC 3920 or, more generally, does not offer negotiation of TLS.
When STARTTLS negotiation succeeds with a peer service but the peer's certificate can not be be used to establish the peer's identity.

Both of these scenarios result in an untrusted connection. However, depending on local security policies, a server might accept such an untrusted connection if the use of Server Dialback results in weak identity verification.

Dialback is not used if SASL is used for server-to-server authentication, since SASL provides strong authentication using certificates, pre-established passwords, or other credentials.

1.4 How Dialback Works

The basic idea behind Server Dialback is that a receiving server does not accept XMPP traffic from a sending server until it has "called back" the authoritative server for the domain asserted by the sending server, and verified that the sending server is truly authorized to generate XMPP traffic for that domain.

A helpful analogy might be the following telephone scenario:

A representative from your electric utility company knocks on your front door and says he needs to enter your house.
Rather than letting him in, you ask for his employee ID number and politely close the door for a few moments.
You open the phone book, find the authoritative phone number for the utility company's headquarters, and call them on the phone.
After being transferred to the customer service department, you ask if a rep with that particular ID number is authorized to be visiting your house.
The company tells you that the rep is authorized, so you thank them and hang up.
You then reopen the front door and allow the rep to enter your house.

In Server Dialback, the equivalent of the utility company representative is the ORIGINATING SERVER, i.e., the machine that wants to send a message to an entity at a destination domain and thus is attempting to establish a connection between the two servers. The equivalent of the person at the house is the RECEIVING SERVER, i.e., the machine to which the Originating Server has opened a connection for the purpose of sending the message and thus is trying to assert that the Originating Server represents the domain which it claims to be. And the equivalent of the company headquarters is the AUTHORITATIVE SERVER, i.e., the machine that yields from a DNS lookup for the domain asserted by the Originating Server; for basic environments this will be the Originating Server, but it could be a separate machine in the Originating Server's network (where "network" is defined by knowledge of a shared secret for verification of dialback keys).

The basic flow of events in Server Dialback is as follows:

The Originating Server performs a DNS lookup on the hostname of the Receiving Server, opens a TCP connection to the discovered IP address and port, and establishes an XML stream with the Receiving Server (optional if there already exists an XML stream between Originating Server and Receiving Server).
Step 1: The Originating Server generates a dialback key and sends that value over its XML stream with the Receiving Server.
The Receiving Server does not immediately accept XML stanzas on the connection but instead performs a DNS lookup on the hostname of the Authoritative Server, opens a TCP connection to the discovered IP address and port, and establishes an XML stream with the Authoritative Server (optional if there already exists an XML stream between Originating Server and Receiving Server).
Step 2: The Receiving Server sends the same dialback key over its XML stream with the Authoritative Server for verification.
Step 3: The Authoritative Server replies that the key is valid or invalid.
Step 4: The Receiving Server informs the Originating Server whether its identify has been verified or not.

After step 4, the Originating Server is authorized to send stanzas from the Originating Domain to the Receiving Domain as used in the 'to' and 'from' attributes of the dialback negotiation. In addition to a weak identity verification of the Originiating Domain this also ensures that the Receiving Server is accepting stanzas for the Receiving Domain.

We can represent this flow of events graphically as follows.

Originating               Receiving
  Server                    Server
-----------               ---------
    |                         |
    |   perform DNS lookup,   |
    |   open TCP connection,  |
    |   and establish stream  |
    | ----------------------> |
    |                         |                   Authoritative
    |   send dialback key     |                       Server
    | --------(1)-----------> |                   -------------
    |                         |                         |
    |                         |   perform DNS lookup,   |
    |                         |   open TCP connection,  |
    |                         |   and establish stream  |
    |                         | ----------------------> |
    |                         |                         |
    |                         |   send verify request   |
    |                         | ---------(2)----------> |
    |                         |                         |
    |                         |   send verify response  |
    |                         | <--------(3)----------- |
    |                         |
    |  report dialback result |
    | <-------(4)------------ |
    |                         |

Note: Opening a new TCP connection and establishing a new stream may not always be necessary before steps 1 and 2.

1.5 Stream Reuse

A single XML stream between Originating and Receiving Server may be used to send stanzas for more than one originating and receiving domain. This usage is for historical reasons called "piggybacking". There are two variants of this:

Origin Piggybacking, which negotiates different originating domains.
Destination Piggybacking, which negotiates different receiving domains.

Note: RFC 3920 introduced a <host-unknown/> stream error that was to be used when the Receiving Server was not configured to serve the Receiving Domain. This has effectively prevented Destination Piggybacking. This document proposes to use dialback errors instead, which do not result in a termination of the underlying XML stream, as it may already be used for sending XML stanzas from Originating Server to Receiving Server. The error is transported in <db:result/> and <db:verify/> elements with the 'type' attribute set to 'error'.

2. Protocol

Note: All XML elements qualified by the Server Dialback namespace MUST be prefixed with the namespace prefix advertised on the stream header originally sent by the entity sending the element.

Section 2.1 describes the protocol from the point of view of an active, outgoing connection from the Originating Server. Section 2.2 describes the protocol from the point of view of an incoming connection on the Receiving Server. Note that both parts can be implemented, tested and used separately.

2.1 Outgoing Connection

Dialback usually takes place after the TCP connection and the XML stream to the Receiving Server have been established, but the Originating Server has not yet provided identification. Apart from reusing connections this can also happen if the stream was first used to send a verification request to the Authoritative Server. This section describes the behaviour of an outgoing connection that is established by the server 'example.org' who is assuming the role of Originating Server in section 2.1.1 and Receiving Server in section 2.1.2.

2.1.1 Dialback Request and Response

This subsection describes the protocol used by the Originating Server ('example.org') to achive validation of a pair of domains on the XML stream by the Receiving Server ('xmpp.example.com').

When the Originating Server has stanzas for the domain pair (Originating Server/Receiving Server), does not have a verified connection or is currently attempting to get a verified connection for this domain pair, it sends a new dialback key to the Receiving Server.

This is done by creating a <db:result/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the hostname of the Originating Server and MUST possess a 'to' attribute whose value is the hostname of the Receiving Server.

Example 1. Send Dialback Key (step 1)

send: <db:result
         from='example.org'
         to='xmpp.example.com'>
       37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643
     </db:result>

Note: see Dialback Key Generation and Validation [6] for the recommended key generation method. The key sent is generated as

key = HMAC-SHA256( 
                   SHA256('s3cr3tf0rd14lb4ck'), 
                   { 'xmpp.example.com', ' ', 'example.org', ' ', 'D60000229F'}
                 )

After that, the Originating Server waits for the verification result. Any stanzas for this domain pair have to be queued. The Originating Server MUST NOT attempt to reverify this domain pair on this connection.

Note: While waiting for the verification result, the Originating Server SHOULD continue to send stanzas for any pair of domains that have been verified on that connection. It MAY send out additional dialback keys for different domain pairs and issue dialback verification requests as described in section 2.1.2. To avoid Denial-of-Service attacks, the Originating Server MAY impose a timeout on key verification.

If the stream or the underlying TCP connection is closed by the remote side while waiting for the verification result, this is to be handled similar to receiving a negative result as described below.

After the Receiving Server has verified the request, the Originating Server receives the verification result.

Example 2. Receive Verification Result (step 4)

recv: <db:result
         from='xmpp.example.com'
         to='example.org'
         type='valid'/>

Example 3. Receive Verification Result (step 4)

recv: <db:result
         from='xmpp.example.com'
         to='example.org'
         type='invalid'/>

If the value of the 'type' attribute is 'valid', then the connection between the domain pair is considered verified and any queued stanzas are sent. If the value of the 'type' attribute is 'invalid', this means that our identity could not be established by the Receiving Server. Queued stanzas MUST be bounced back to the respective senders with a <remote-server-timeout/> stanza error and the underlying stream MAY be closed unless it is not used by other domain pairs.

Note: the Receiving Server MAY use any method to determine the validity of the dialback key and the identity of the Originating Sever. The Originating Server MUST NOT make any assumptions about how the Receiving Server verifies the key. This includes the assumption that the key is ever verified by the Receiving Server.

Example 4. Receive Dialback Error (step 4)

recv: <db:result
         from='xmpp.example.com'
         to='example.org'
         type='error'/>

If the value of the 'type' attribute is 'error', this indicates a problem which is not related to the validity of the dialback key provided. An example of this is that the Receiving Server is not configured to serve for the hostname given in the 'to' attribute of the dialback request. The original value given there is used in the 'from' attribute of the error reply (note: this does not imply that the Receiving Server is serving this domain). This error is to be considered non-fatal for the XML stream, but queued stanzas MUST be bounced to the respective senders with a <remote-server-timeout/> stanza error.

Note Well: Use of the "error" value was unspecified in RFC 3920. The usage herein is similar to the <host-unknown/> stream error in RFC3920, however this error is non-fatal and does not result in termination of the stream and the underlying TCP connection, which may already be used for sending XML stanzas for other domain pairs.

2.1.2 Verify Request and Response

This subsection describes a protocol used in the role of a Receiving Server ('example.org') to establish the identity of the Originating Server ('xmpp.example.com') by sending the dialback key provided to an Authorative Server. Alternative verification methods for determining are out of scope for this document.

To determine the validity of a dialback key, the Receiving Server needs to establish communications with the Authoritative Server. To do so, it may either reuse an existing XML stream or needs to establish a new connection.

After the XML stream is established, the Receiving Server sends the verification request. This is done by creating a <db:verify/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the hostname of the Receiving Server, MUST possess a 'to' attribute whose value is the hostname of the Originating Server as provided in the 'from' attribute of step 1, and MUST possess an 'id' attribute whose value is the stream identifier from the Receiving Server's response stream header to the Originating Server. The combination of 'from', 'to' and 'id' attributes makes it possible for the Receiving Server to uniquely identify the TCP connection that the original request was received on in step 1.

Note: Implementations may open a separate connection to the Authorative Server for the sole purpose of doing key verification.

Example 5. Send Verification Request (step 2)

send: <db:verify
         from='example.org'
         id='417GAF25'
         to='xmpp.example.com'>
       38b501ec606752318f72ad53de17ac6d15f86257485b0d8f5d54e1f619e6b869
     </db:verify>

After that, the Receiving Server waits for the verification result. While doing so, it may still use the connection to send any valid stanzas or dialback packets.

Example 6. Key is Valid (step 3)

recv: <db:verify
         from='xmpp.example.com'
         id='417GAF25'
         to='example.org'
         type='valid'>
     </db:verify>

Or:

Example 7. Key is Invalid (step 3)

recv: <db:verify
         from='xmpp.example.com'
         id='417GAF25'
         to='example.org'
         type='invalid'>
     </db:verify>

In addition to the values 'valid' and 'invalid', the 'type' attribute may also have a value of 'error'. This is usually an indication that the Authoritative Server is not authoritative for the domain.

Note: Use of the "error" value was unspecified in RFC3920.

Example 8. Dialback Error (step 3)

recv: <db:verify
         from='xmpp.example.com'
         to='example.org'
         id='417GAF25'
         type='error'>
     </db:verify>

Note: if the underlying TCP connection is closed by the remote side while there are pending verification requests, those requests may be considered failed and should be treated like a error response.

After receiving the validation result from the Authoritative Server, the Receiving Server determines the incoming connection that the dialback key was originally received on. This connection is uniquely identified by the combination of the 'from', 'to' and 'id' attributes. If no incoming connection is found that matches this combination, the verification result can be dropped silently. If an incoming connection is found, the Receiving Server uses it to communicate the verification result to the Originating Server. A positive result indicates the willingness of the Receiving Server to accept stanzas from the Originating Domain for the Receiving Domain from the Originating Server.

2.2 Incoming connection

This section describes the behaviour of an incoming connection on the server 'xmpp.example.com' from 'example.org', inverting the roles sender and receiver as used in the previous subsection.

2.2.1 Dialback Request and Response

Example 9. Receiving Server Processes Key (step 1)

recv: <db:result
         from='example.org'
         to='xmpp.example.com'>
       37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643
     </db:result>

This key must be verified before the Originating Domain ('example.org') is authorized to send stanzas. This may fail prematurely, for example, if the Receiving Server's policy states that connections from the Receiving Domain are not allowed.

The usual method for verifying that the Originating Server is authorized to send stanzas for the Originating Domain is to 'dial-back' the Authoritative Server for the Originating Domain and asking it to validate the dialback key which is contained in the XML character data of the request. Other methods may be used for verifying the identity of the Originating Server, but are out of scope for this document.

Note: the Receiving Server MUST continue to accept and process stanzas for already verified domain pairs, and MUST continue to process both < db:result/< and <db:verify/> elements.

If the Receiving Domain as given in the 'to' attribute of the element is not a configured domain of the Receiving Server, this results in a dialback error. This error is not a stream error and therefore MUST NOT result in termination of the stream and the underlying TCP connection, which may already be used for sending XML stanzas for other domain pairs.

Example 10. Send Dialback Error (step 6)

send: <db:result
         from='xmpp.example.com'
         to='example.org'
         type='error'/>

Note: Use of the "error" value was unspecified in RFC3920.

After the validity of the key has been established (for example, by the Authoritative Server), the domain pair is to be considered as verified and the connection MUST accept stanzas. If the key validation failed, no action is to be taken.

In addition, the Originating Server is notified of the result. This is done by creating a <db:result/> element which MUST possess a 'from' attribute whose value is the hostname of the Receiving Server, MUST possess a 'to' attribute whose value is the hostname of the Originating Server, and MUST possess a 'type' attribute whose value is either "valid" or "invalid".

Example 11. Send Valid Verification Result (step 6)

send: <db:result
         from='xmpp.example.com'
         to='example.org'
         type='valid'/>

Or:

Example 12. Send Invalid Verification Result (step 6)

send: <db:result
         from='xmpp.example.com'
         to='example.org'
         type='invalid'/>

2.2.2 Verify Request and Response

Example 13. Receiving Server Sends Verification Request (step 2)

recv: <db:verify
         from='example.org'
         id='417GAF25'
         to='xmpp.example.com'>
       38b501ec606752318f72ad53de17ac6d15f86257485b0d8f5d54e1f619e6b869
     </db:verify>

If the Receiving Domain as given in the 'to' attribute of the element does not match a configured local domain, this results in a dialback error. This error is not a stream error and therefore MUST NOT result in termination of the stream and the underlying TCP connection, which may already be used for sending XML stanzas for other domain pairs.

Example 14. Dialback error (step 3)

send: <db:verify
         from='xmpp.example.com'
         to='example.org' 
         id='417GAF25'
         type='error'/>

Upon receiving this <db:verify/> element, the validity of the dialback key provided in the XML character data of the element is determined. This may be achived for example by comparing the character data with the output of applying the key generation mechanism for the values of the 'from', 'to' and 'id' attributes as described in XEP 0185:

key = HMAC-SHA256( 
                   SHA256('d14lb4ck43v3r'), 
                   { 'example.org', ' ', 'xmpp.example.com', ' ', '417GAF25'}
                 )
    = 38b501ec606752318f72ad53de17ac6d15f86257485b0d8f5d54e1f619e6b869 (key is valid)

The Receiving Server is then notified of the validity of the key. This is done by creating a <db:verify/> element which MUST possess 'from' and 'to' attributes whose values are swapped from the request, MUST possess an 'id' attribute whose value is copied from the 'id' value of the request, and MUST possess a 'type' attribute whose value is either "valid" or "invalid".

Example 15. Key is Valid (step 3)

send: <db:verify
         from='xmpp.example.com'
         id='417GAF25'
         to='example.org'
         type='valid'/>

Or:

Example 16. Key is Invalid (step 3)

send: <db:verify
         from='xmpp.example.com'
         id='417GAF25'
         to='example.org'
         type='invalid'/>

3. Security Considerations

Server Dialback helps protect against domain spoofing, thus making it more difficult to spoof XML stanzas. It is not a mechanism for authenticating, securing, or encrypting streams between servers as is done via SASL and TLS, and results in weak verification of server identities only. Furthermore, it is susceptible to DNS poisoning attacks unless DNSSEC (see RFC 4033 [7]) is used. Even if the DNS information is accurate, Server Dialback cannot protect against attacks where the attacker is capable of hijacking the IP address of the remote domain. Domains requiring robust security SHOULD use TLS and SASL. If SASL is used for server-to-server authentication, Server Dialback SHOULD NOT be used since it is unnecessary. However, completing dialback ensures that a bidirectional exchange of messages can happen with the remote domain.

4. IANA Considerations

5. XMPP Registrar Considerations

5.1 Protocol Namespaces

The XMPP Registrar [9] includes 'jabber:server:dialback' in its registry of protocol namespaces (see <http://xmpp.org/registrar/namespaces.html>).

6. XML Schema

6.1 Dialback

Note Well: the "error" value for the 'id' attribute was added since RFC3920.

<?xml version='1.0' encoding='UTF-8'?>

<xs:schema
    xmlns:xs='http://www.w3.org/2001/XMLSchema'
    targetNamespace='jabber:server:dialback'
    xmlns='jabber:server:dialback'
    elementFormDefault='qualified'>

  <xs:element name='result'>
    <xs:complexType>
      <xs:simpleContent>
        <xs:extension base='xs:NMTOKEN'>
          <xs:attribute name='from' type='xs:string' use='required'/>
          <xs:attribute name='to' type='xs:string' use='required'/>
          <xs:attribute name='type' use='optional'>
            <xs:simpleType>
              <xs:restriction base='xs:NCName'>
                <xs:enumeration value='error'/>
                <xs:enumeration value='invalid'/>
                <xs:enumeration value='valid'/>
              </xs:restriction>
            </xs:simpleType>
          </xs:attribute>
        </xs:extension>
      </xs:simpleContent>
    </xs:complexType>
  </xs:element>

  <xs:element name='verify'>
    <xs:complexType>
      <xs:simpleContent>
        <xs:extension base='xs:NMTOKEN'>
          <xs:attribute name='from' type='xs:string' use='required'/>
          <xs:attribute name='id' type='xs:NMTOKEN' use='required'/>
          <xs:attribute name='to' type='xs:string' use='required'/>
          <xs:attribute name='type' use='optional'>
            <xs:simpleType>
              <xs:restriction base='xs:NCName'>
                <xs:enumeration value='error'/>
                <xs:enumeration value='invalid'/>
                <xs:enumeration value='valid'/>
              </xs:restriction>
            </xs:simpleType>
          </xs:attribute>
        </xs:extension>
      </xs:simpleContent>
    </xs:complexType>
  </xs:element>

</xs:schema>

Appendices

Appendix A: Document Information

Appendix B: Author Information

Appendix C: Legal Notices

Copyright

Permissions

Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.

Disclaimer of Warranty

## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. In no event shall the XMPP Standards Foundation or the authors of this Specification be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification. ##

Limitation of Liability

In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising out of the use or inability to use the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.

IPR Conformance

This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which may be found at <http://xmpp.org/extensions/ipr-policy.shtml> or obtained by writing to XSF, P.O. Box 1641, Denver, CO 80201 USA).

Appendix D: Relation to XMPP

The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 3920) and XMPP IM (RFC 3921) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.

Appendix E: Discussion Venue

The primary venue for discussion of XMPP Extension Protocols is the <standards@xmpp.org> discussion list.

Appendix F: Requirements Conformance

The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".