XEP-0421: Anonymous unique occupant identifiers for MUCs

This specification defines a method that allows clients to identify a MUC participant across reconnects and renames. It thus prevents impersonification of anonymous users.
Marvin Wissfeld
© 2019 – 2019 XMPP Standards Foundation. SEE LEGAL NOTICES.


NOTICE: This document is currently within Last Call or under consideration by the XMPP Council for advancement to the next stage in the XSF standards process. The Last Call ends on 2024-05-27. Please send your feedback to the standards@xmpp.org discussion list.
Standards Track
0.1.0 (2019-08-20)
Document Lifecycle
  1. Experimental
  2. Proposed
  3. Stable
  4. Final

1. Introduction

Multi-User Chat (XEP-0045) [1] allows the creation of semi-anonymous multi-user text chats where the real JID of a occupant can not be discovered by other MUC occupants except moderators. As such users can freely join with using any identity of their choice, allowing to impersonate users while they are not online.

With recent standard extensions, it becomes more relevant to be able to know if the occupant that sends one message is the same as the sender of another message, for example for Last Message Correction (XEP-0308) [2]. At the same time it becomes harder for clients to determine this, for example due to the use of Message Archive Management (XEP-0313) [3] with MUCs.

This specification defines a method to combat issues arising out of the anonymity of MUC occupants while at the same time ensuring their privacy by not leaking their real JID to other occupants.

2. Discovering support

If a MUC implements anonymous unique occupant identifiers, it MUST specify the 'urn:xmpp:occupant-id:0' feature in its service discovery information features as specified in Service Discovery (XEP-0030) [4].

Example 1. Client requests information about a MUC
<iq type='get'
  <query xmlns='http://jabber.org/protocol/disco#info'/>
Example 2. MUC advertises support for anonymous unique occupant identifiers
<iq type='result'
  <query xmlns='http://jabber.org/protocol/disco#info'>
    <feature var='urn:xmpp:occupant-id:0'/>

3. Use Cases

3.1 Entering a Room

When a user enters a room, they send a presence to claim the nickname in the MUC. A MUC that supports anonymous unique occupant identifiers attaches an <occupant-id> element to the presence sent to all occupants in the room.

Example 3. Client sends a message
  <x xmlns='http://jabber.org/protocol/muc'/>
Example 4. Service Sends New Occupant's Presence to All Occupants
  <x xmlns='http://jabber.org/protocol/muc#user' />
  <occupant-id xmlns="urn:xmpp:occupant-id:0" id="dd72603deec90a38ba552f7c68cbcc61bca202cd" />

3.2 Sending a Message to All Occupants

An occupant sends a message to all other occupants in the room by sending a message of type "groupchat" to the <room@service>. A MUC supporting anonymous unique occupant identifiers attaches an <occupant-id> element to the message sent to all occupants in the room.

Example 5. Occupant Sends a Message to All Occupants
  <body>Harpier cries: 'tis time, 'tis time.</body>
Example 6. Service Reflects Message to All Occupants
  <body>Harpier cries: 'tis time, 'tis time.</body>
  <occupant-id xmlns="urn:xmpp:occupant-id:0" id="dd72603deec90a38ba552f7c68cbcc61bca202cd" />

4. Business Rules

Messages and presences MUST NOT contain more then one <occupant-id> element. If the message or presence received by the MUC service already contains <occupant-id> element, the MUC service MUST replace such element before reflecting the message or presence including it.

The <occupant-id> element MUST be attached to every message and every presence sent by a MUC. This includes messages sent as part of the discussion history after joining a room, requested via Message Archive Management (XEP-0313) [3] or any other means.

The <occupant-id> element MUST be ignored if support for the feature is not announced via Service Discovery (XEP-0030) [4], as malicious clients might forge occupant identifiers if the room does not support them.

A MUC service MAY allow the administrator to enable or disable occupant identifiers on a per-room basis. If occupant identifiers are force enabled for all rooms on a MUC service, it SHOULD additionally specify the 'urn:xmpp:occupant-id:0' feature on the MUC service. It MUST NOT specify the feature on the service otherwise.

4.1 Occupant ID generation

The occupant identifier MUST be generated such that it is stable. This means that if a user joins the same room a second time, the occupant identifier MUST be the same as was assigned the first time. A user in the sense of this specification is identified by its real bare JID.

The occupant identifier MUST be generated such that it is unique. This means that it MUST be sufficiently improbable that one user is able to re-create the occupant identifier of another user.

The occupant identifier MUST be generated such that it is anonymous. This means that it MUST be sufficiently hard to determine the real bare JID of an occupant from its occupant identifier. Additionally, a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service.

The occupant identifier MUST have a maximum length of 128 characters. The recipient MUST consider the occupant identifier to be an opaque string.

One way to ensure these properties is to generate a private secret key for every room and use an HMAC algorithm with a sufficiently secure hash function to generate the occupant identifier from the real bare JID and that secret key. This procedure ensures all the required properties with minimal server side storage requirements.

5. Security Considerations

If a MUC uses occupant identifiers, nickname changes will be visible to all occupants of the room. Clients MAY warn users about this circumstance before joining the room.

6. IANA Considerations

This document requires no interaction with the Internet Assigned Numbers Authority (IANA) [5].

7. XMPP Registrar Considerations

7.1 Protocol Namespaces

The XMPP Registrar [6] includes 'urn:xmpp:occupant-id:0' in its registry of protocol namespaces (see <https://xmpp.org/registrar/namespaces.html>).


Appendix A: Document Information

XMPP Standards Foundation
Standards Track
Last Updated
Approving Body
XMPP Council
XMPP Core, XEP-0001, XEP-0030, XEP-0045
Superseded By
Short Name
Source Control

This document in other formats: XML  PDF

Appendix B: Author Information

Marvin Wissfeld


This XMPP Extension Protocol is copyright © 1999 – 2024 by the XMPP Standards Foundation (XSF).


Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.

Disclaimer of Warranty

## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. ##

Limitation of Liability

In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.

IPR Conformance

This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which can be found at <https://xmpp.org/about/xsf/ipr-policy> or obtained by writing to XMPP Standards Foundation, P.O. Box 787, Parker, CO 80134 USA).

Visual Presentation

The HTML representation (you are looking at) is maintained by the XSF. It is based on the YAML CSS Framework, which is licensed under the terms of the CC-BY-SA 2.0 license.

Appendix D: Relation to XMPP

The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 6120) and XMPP IM (RFC 6121) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.

Appendix E: Discussion Venue

The primary venue for discussion of XMPP Extension Protocols is the <standards@xmpp.org> discussion list.

Discussion on other xmpp.org discussion lists might also be appropriate; see <https://xmpp.org/community/> for a complete list.

Errata can be sent to <editor@xmpp.org>.

Appendix F: Requirements Conformance

The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".

Appendix G: Notes

1. XEP-0045: Multi-User Chat <https://xmpp.org/extensions/xep-0045.html>.

2. XEP-0308: Last Message Correction <https://xmpp.org/extensions/xep-0308.html>.

3. XEP-0313: Message Archive Management <https://xmpp.org/extensions/xep-0313.html>.

4. XEP-0030: Service Discovery <https://xmpp.org/extensions/xep-0030.html>.

5. The Internet Assigned Numbers Authority (IANA) is the central coordinator for the assignment of unique parameter values for Internet protocols, such as port numbers and URI schemes. For further information, see <http://www.iana.org/>.

6. The XMPP Registrar maintains a list of reserved protocol namespaces as well as registries of parameters used in the context of XMPP extension protocols approved by the XMPP Standards Foundation. For further information, see <https://xmpp.org/registrar/>.

Appendix H: Revision History

Note: Older versions of this specification might be available at https://xmpp.org/extensions/attic/

  1. Version 0.1.0 (2019-08-20)
    Accepted by vote of Council on 2019-07-17.
    XEP Editor (jsc)
  2. Version 0.0.1 (2019-07-13)

    First draft.


Appendix I: Bib(La)TeX Entry

  title = {Anonymous unique occupant identifiers for MUCs},
  author = {Wissfeld, Marvin},
  type = {XEP},
  number = {0421},
  version = {0.1.0},
  institution = {XMPP Standards Foundation},
  url = {https://xmpp.org/extensions/xep-0421.html},
  date = {2019-07-13/2019-08-20},