XSF Discussion - 2021-03-22

Just got off a 2h debugging session, where the root cause turned out to be the client using origin-id where it should have been using stanza-id

And what is the point of @id == origin-id/@id for normal chat messages?

Just pretend origin-id doesn't exist, and join the campaign to have it removed from the XEP :)

⤴️

Look at this and tell me, for each byte, why you really need it: ```xml <message type='chat' to='zash@recv.example' from='foo@sender.example/c' id='ceb792ed-e033-4e2d-8e00-c01dbc2e7673' xml:lang='en'> <body>Test</body> <request xmlns='urn:xmpp:receipts'/> <markable xmlns='urn:xmpp:chat-markers:0'/> <origin-id id='ceb792ed-e033-4e2d-8e00-c01dbc2e7673' xmlns='urn:xmpp:sid:0'/> <active xmlns='http://jabber.org/protocol/chatstates'/> <stanza-id id='BsxtFkWgYn1TCs5c' xmlns='urn:xmpp:sid:0' by='zash@recv.example'/> <delay xmlns='urn:xmpp:delay' stamp='2021-03-22T12:47:00Z' from='recv.example'/> </message> ```

:|

mdosch, those are not two IDs, there could be multiple <stanza-id/> elements, for example one from the user's archive and one from the MUCs archive

and <origin-id/> is simply the ID the entity where the stanza originated from assigned

🤔

and 'id' is what?

Ok, I think I go for 'pretend it doesn't exist' until I have time to thoroughly look at this.

mod_if_id_eq_origin_id_then_remove_it

I also don’t see why origin ID can’t be a stanza ID stamped by the originator :)

Kev, to avoid leaking the JID

consider a semi-anonymous MUC for example

Or a stanza-id with no originator, then :) But yes, I’d forgotten about that.

Kev, allowing <stanza-id/> without by attribute would complicate the rules for <stanza-id/> validation

Can we just get rid of origin-id and pretend it never existed?

et ceterum censeo origin-id delendam esse?

As someone asked what 'id' attribute is for, here is the RFC: > The 'id' attribute is used by the originating entity to track any response or error stanza that it might receive in relation to the generated stanza from another entity (such as an intermediate server or the intended recipient). > It is up to the originating entity whether the value of the 'id' attribute is unique only within its current stream or unique globally. > For <message/> and <presence/> stanzas, it is RECOMMENDED for the originating entity to include an 'id' attribute; for <iq/> stanzas, it is REQUIRED.

For messages, 0045 adds the requirement that “The [MUC] service SHOULD reflect the message with the same 'id' that was generated by the client, to allow clients to track their outbound messages.”

Which was only added "recently" and may be in conflict with RFC ✏

larma: what's the "current stream" in an s2s context?

Hard to say. But in RFC terms, the originator of a broadcasted MUC message clearly is the MUC service

larma: and it could "open" a new "stream" for each message

I'd be tempted to argue that a stream goes from sender ('from') to recipient ('to'), at least that would make sense in this context because every intermediary is allowed to send errors up to the recipient

But how does it match error messages then?

larma: when a stream goes between the respective JIDs, any implementation that eventually re-uses IDs is incompliant, because the stream exists as long as the JIDs exist

Ge0rG, huh? I can just not reuse the id with a single recipient but reuse with another recipient

i.e. sending <message id="1" to="a@example.org" /> and <message id="1" to="b@example.org" /> would then be allowed because any error message could still be matched ✏

larma: not what I'm taking about. You may never reuse an ID to a given recipient because you don't know if they did restart in the meantime

yes, that's true

except if you change your JID of course 😉

Well, welcome random non persistent resource identifiers!

Something something (kind, id, to, from) unique, or somesuch.

yeah, except that MUCs don't use random resource identifiers so they can't guarantee uniqueness on that pair when forwarding an incoming message.

And errors have to/from flipped. Easy. What we talking about?

So the RFC can't be followed in any sensible form and we should change it

larma, still applies to the full JID pairs, does it not?

Ge0rG, why?

larma: my point is that any implementation that will rely on id never repeating will have been broken a long time ago

on s2s?

Ge0rG, ehm, don't we see issues with clients when any other client do it repeatedly?

Because in practice, client implementations were considering a stream as their connection, and used an auto increment for IDs, and that caused repetition issues at all recipients

larma: only on receiving clients that think a "stream" is something eternal and persistent

in practice we have XEPs that by design would break should ids be reused.

we just workaround by making them use origin-id

If you do that, do you break anything but yourself (the client)? ✏

you typically break the recipient client 😉

larma: an evil client will break you by sending repeated origin-id. You haven't solved anything, you just limited the problem to pidgin.

it's not about evil clients, it's about standard compliant clients

Except that pidgin won't send origin-id so it's exactly the status quo, but with one more useless xml element

What if the MUC just renumbers all the messages, but includes the origin-id in the reflection back to the sender (and only to them)

Zash: what if MUC renumbers all the messages but the one sent to the original sending client?

But also what if the client gets reconnected between sending the message and getting the reflection?

Ge0rG, the original client wouldn't know the MUCs message id 😉

Let's just agree that MUC is just a bunch of hacks and undefined behavior

What if we stop relying on message id being unique except for purposes of reflection tracking?

You mean as it's described in the RFC?

Should a client be able to send a correction to a message that's still in flight?

Bring back "last" message correction

Or should we finally go ahead and mandate all IDs be HMAC(stream-id, stanza counter) ?

Zash: have the server rewrite any client ID into this format!

Yes

With eternal tracking, of course

Plus the client can know AOT what id messages will have

Didn't we invent this at every summit?

Zash: yes, and I liked it every time

Let's make it part of XMPP 2.0

But then it won't prove that the ID is really unique to other servers.

So we don't gain anything in the presence of malicious servers.

"Don't write malicious servers"

Except that you could terminate s2s to a server that sends repeating IDs

Make every entity on the path attach their own ƒ(stream-id, counter)! Seal it with crypto, no, blockchain!

Zash: but then we reuse the counter from 0198, only to realize that it'll wrap around at 2^31

`<reset xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>`, bye

(I'm sure the above is tongue-in-cheek but) unique message IDs are useful for threading/message attaching/reactions/etc. as well, right?

I seem to remember the original RFCs saying IDs SHOULD be globally unique, though I might be wrong.

deuill: yes. Any modern client will send globally unique IDs anyway

Twice. And then the MUC adds another. And some timestamps on that.

Hm, what's to prevent clients from sending duplicates?

Oh right yeah.

deuill: larma quoted the RFC one and a bit hours ago

Yeah I think Dino not doing MAM-MUC bit me there

Or is it MUC-MAM

deuill: an evil client can do whatever it wants. A broken client will make other clients break some functionality

MAM is always using the server generated IDs. Luckily, servers will never misbehave

True fact. Servers are perfect.

Praise be!

Trust in the server. The server is good.

What if we just did away with clients altogether and just had the servers talk to one another

To protect and serve?

YES

As a bonus we then get a pure p2p system

Zash: "server" is a discriminatory word, because serving is an implication of involuntary labor.

Having worked at a cafe in Greece, I can attest to that

Ge0rG: What, you don't tip your servers?

Zash: xmp2p!

Zash: no, I master them.

Please don't tip your servers, the hard drives will thank you

Hard drives have been forbidden a long time ago, because of the IDE Master Slave jumper ✏