[Members] In-Band Regiration with Jabber.org

Robert B Quattlebaum, Jr. darco at deepdarc.com
Thu Oct 26 14:05:25 CDT 2006

On Oct 26, 2006, at 5:56 AM, Tomasz Sterna wrote:

> On 10/26/06, Robert B Quattlebaum, Jr. <darco at deepdarc.com> wrote:
>> I really think that jabber.org should not allow anonymous  
>> jabber:iq:register
>> for account creation. I think that it sets a bad precedent, and is  
>> ripe for
>> automation and other sorts of abuse. At the very least, jabber.org  
>> should do
>> some sort of email-address verification, but currently it does  
>> nothing.
> I can't see why we cannot do e-mail verification during in-band  
> registration.
> Or any other method of verifing users.

OK, then lets do that. Make is required.

> How does registering via HTTP differ from registering via XMPP?

HTTP registration should be an option for users of clients which  
either implement jabber:iq:register poorly or not at all.

>> on the jabber.org site. Such a page should have a CAPTCHA and at  
>> least get
> You've said a very, very bad word. I see a flame coming. :-)

I'm fine tossing the CAPTCHA, but we need some sort of verification.  
We could do this:

If the IP of the user is not on a black-hole list(BHL), the email  
verification works, and the email server is not on a black-hole list,  
then the user account should be granted.

If the user's IP or the IP of the email server is on a BHL, then give  
them the CAPTCHA. That way, the overwhelming majority of users would  
not have to bother with a CAPTCHA.

> But... We have mathod for that.
> http://www.xmpp.org/extensions/xep-0158.html

Deferred... hmm... I'd be fine with implementing it.

>> We need to take measures now to help prevent the public federated  
>> jabber
>> network from becoming a hostile environment.
> It was discussed before:
> http://www.xmpp.org/extensions/xep-0158.html
> http://www.xmpp.org/extensions/xep-0159.html
> http://www.xmpp.org/extensions/xep-0161.html
> http://www.xmpp.org/extensions/xep-0165.html

None of these have been implemented, and they all have red  
disclaimers. In-band registration as it is currently implemented on  
jabber.org is just waiting to be abused. I'm suggesting that we  
prevent that instead of waiting until the abuse begins.

Robert Quattlebaum
Jabber: darco at deepdarc.com
eMail:  darco at deepdarc.com
www:    http://www.deepdarc.com/

More information about the Members mailing list