RFC Errata
RFC 6121, "Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence", March 2011
Source of RFC: xmpp (rai)
Errata ID: 5058
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Florian Schmaus
Date Reported: 2017-07-02
Held for Document Update by: Ben Campbell
Date Held: 2017-07-10
Section 2.1.6 says:
2. A receiving client MUST ignore the stanza unless it has no 'from'
attribute (i.e., implicitly from the bare JID of the user's
account) or it has a 'from' attribute whose value matches the
user's bare JID <user@domainpart>.
It should say:
2. A receiving client MUST ignore the stanza unless it has no 'from'
attribute (i.e., implicitly from the bare JID of the user's
account) or it has a 'from' attribute whose value matches either
the user's bare JID <user@domainpart> or the address of an entity
authorized performing roster pushes.
Notes:
RFC 6121 § 2.1.6 2. specifies that roster pushes have to origin from the "user's account", i.e., no 'from' attribute or 'from' attribute matching the user's bare JID. However the Security Warning in the same section states that
... this specification allows entities other than the user's server to
maintain roster information, which means that a roster push might
include a 'from' address other than the bare JID of the user's
account. Therefore, the client MUST check the 'from' address to
verify that the sender of the roster push is authorized to update
the roster.
which contradicts what is specified in § 2.1.6 2.
Verifier note: This seems more than editorial, and probably needs some discussion about third party authorizations. I will set the status to "Held for Document Update"