[Members] In-Band Regiration with Jabber.org

Robert B Quattlebaum, Jr. darco at deepdarc.com
Thu Oct 26 14:05:25 CDT 2006


On Oct 26, 2006, at 5:56 AM, Tomasz Sterna wrote:

> On 10/26/06, Robert B Quattlebaum, Jr. <darco at deepdarc.com> wrote:
>> I really think that jabber.org should not allow anonymous  
>> jabber:iq:register
>> for account creation. I think that it sets a bad precedent, and is  
>> ripe for
>> automation and other sorts of abuse. At the very least, jabber.org  
>> should do
>> some sort of email-address verification, but currently it does  
>> nothing.
>
> I can't see why we cannot do e-mail verification during in-band  
> registration.
> Or any other method of verifing users.

OK, then lets do that. Make is required.

> How does registering via HTTP differ from registering via XMPP?

HTTP registration should be an option for users of clients which  
either implement jabber:iq:register poorly or not at all.

>
>> on the jabber.org site. Such a page should have a CAPTCHA and at  
>> least get
>
> You've said a very, very bad word. I see a flame coming. :-)

I'm fine tossing the CAPTCHA, but we need some sort of verification.  
We could do this:

If the IP of the user is not on a black-hole list(BHL), the email  
verification works, and the email server is not on a black-hole list,  
then the user account should be granted.

If the user's IP or the IP of the email server is on a BHL, then give  
them the CAPTCHA. That way, the overwhelming majority of users would  
not have to bother with a CAPTCHA.

> But... We have mathod for that.
> http://www.xmpp.org/extensions/xep-0158.html

Deferred... hmm... I'd be fine with implementing it.

>> We need to take measures now to help prevent the public federated  
>> jabber
>> network from becoming a hostile environment.
>
> It was discussed before:
> http://www.xmpp.org/extensions/xep-0158.html
> http://www.xmpp.org/extensions/xep-0159.html
> http://www.xmpp.org/extensions/xep-0161.html
> http://www.xmpp.org/extensions/xep-0165.html

None of these have been implemented, and they all have red  
disclaimers. In-band registration as it is currently implemented on  
jabber.org is just waiting to be abused. I'm suggesting that we  
prevent that instead of waiting until the abuse begins.

__________________
Robert Quattlebaum
Jabber: darco at deepdarc.com
eMail:  darco at deepdarc.com
www:    http://www.deepdarc.com/




More information about the Members mailing list