When a user wants to subscribe to someone else's presence, it sends a presence with type subscribe as usual. If the server realizes that the requester has no permission to see the other user's presence, it forwards the subscription request, but not before having appended the requester's public key using a variant of XEP-0189.
<presence type='subscribe' from='[email protected]' to='[email protected]'>
<pubkey xmlns='urn:xmpp:pubkey:2'>
<key>[Base64-encoded public key block]</key>
<print>[key fingerprint in HEX digits without spaces]</print>
</pubkey>
</presence>