[Members] In-Band Regiration with Jabber.org

Robert B Quattlebaum, Jr. darco at deepdarc.com
Sat Oct 28 15:17:31 CDT 2006

On Oct 28, 2006, at 3:31 AM, Ian Paterson wrote:

> As Tomasz said those XEPs are only "Defered" because we don't  
> expect anyone to implement them until the SPIM "war" begins. Coding  
> up an implementation usually takes *far* less time than developing  
> and agreeing a protocol. Despite their "Defered" status the content  
> of those XEPs is pretty mature. So IMHO we're sufficiently prepared.
> I just checked a couple of minor changes to XEP-0158 and XEP-0159  
> into CVS, and asked Peter to publish new versions of the XEPs with  
> Experimental status.
> Robert, it would be great if you decide to implement these XEPs and  
> XEP-0161. I expect any implementation experience or feedback you  
> can provide would result in valuable additions to the documents.  
> And the XMPP developer community would be even better prepared. :-)

I would be happy to help in whatever way I can, including helping to  
establish some implementations of these XEPs (if for no other purpose  
than to provide a test which client developers can use).

However, the issue still stands that the registration process at  
Jabber.org is easily automated and abused. Based on the responses I  
have received so far, it seems that people want to wait for one of  
two things to happen:

1) For XEP-0158 and XEP-0159 to be implemented in ejabberd and  
deployed widely across clients.
2) For someone to actually start abusing the existing registration  

This *IS* going to be abused unless we fix it soon. I'm just amazed  
that people aren't seeing this.

IMHO, the most realistic approach is as follows:

1. Make email verification a requirement for jabber.org account  
activation. Existing accounts should be 'grandfathered' in.
2. Implement a web page for account registration for the clients  
which either a) implement jabber:iq:register poorly, or b) don't  
implement jabber:iq:register at all.

This would be a good start, and I think it makes everyone happy:  
jabber:iq:register sticks around, and as an added bonus people can  
now register accounts if their client doesn't support  
jabber:iq:register at all.

I'd even go so far as to say that this should be a part of a jabber  
server administration "best practices" XEP.

Robert Quattlebaum
Jabber: darco at deepdarc.com
eMail:  darco at deepdarc.com
www:    http://www.deepdarc.com/

More information about the Members mailing list