[Operators] Remove old unused accounts?

Florian Thießen florian at thiessen.org
Fri Dec 11 13:18:20 CST 2009

Hash: SHA1

Peter Saint-Andre schrieb:
> On 12/10/09 5:21 PM, Mihael Pranjić wrote:
>> Am Freitag, 11. Dezember 2009 01:03:51 schrieben Sie:
>>> On 12/10/09 4:55 PM, Jonathan Schleifer wrote:
>>>> Am 10.12.2009 um 23:50 schrieb Mihael Pranjić:
>>>>> It clearly does sound like a sane idea. This would solve the problem
>>>>> of having
>>>>> multiple users use the same JID after it was deleted. But think of
>>>>> jabber accounts that were created, used for short time and then left
>>>>> lying aroung on
>>>>> the server. This includes unnecessarily created accounts and so on.
>>>>> However it
>>>>> is defined, on most public services there are many jabber accounts
>>>>> just lying
>>>>> around, unused. This makes it impossible for someone who would really
>>>>> like to
>>>>> use the same JID to register it, as he does not have the email adress.
>>>>> In short there wont be two different people using the same jabber
>>>>> account,
>>>>> regardless of the fact that there may be "garbage" accounts that are not
>>>>> really used. This makes it impossible tot get the jid, even for the
>>>>> people who
>>>>> would really use it.
>>>>> Captcha could prevent an amount of "garbage" accounts, but is not 100%
>>>>> proof.
>>>>> Anyone can still create accounts and not use them.
>>>> Well, you could make a difference between accounts that have been used
>>>> for a while and accounts that have been registered but never used. For
>>>> example, if the user never logged in two weeks after it has been
>>>> created, it is unlikely that the account has ever been used properly -
>>>> in this case, I guess it is safe to remove it, as I don't think someone
>>>> who just registered account will get important privileges anywhere.
>>> Says who?
>>> I tell all the people who matter that I'm creating a new account because
>>> I'm tired of having 2400 people in my roster at the old account, on day
>>> one I become a room owner for a bunch of chatrooms, then I go offline
>>> for a two-week vacation. I come home and my account is gone. What gives?
>>> Look, we can spin out weird scenarios all day.
>>> Peter
>> Yeah we can, but going through some scenarios can show up security issues 
>> related to this. If the discussion is not welcome we can stop *LOL*
>> If no one thinks this is a topic that should be discussed we can just close 
>> it. 
> Discussion is good, but I don't think we're making any progress here.
> In any case I'll think about this for the jabber.org service, but we
> have more pressing issues to work on right now.

If you logged in to become a room owner you're account wouldn't get
removed according to his statement, though.

"[...] and accounts that have been registered but never used. For
example, if the user never logged in two weeks [...]"

Removing accounts that haven't been used /at all/ for two weeks since
registration shouldn't raise any security issues even if re-registering
is allowed?


>> In my opinion though this issue comes with XMPP and it wont go away. Its 
>> related to its design. You just can not identify someone 100%. This is the 
>> same with email too. Maybe something with/like openpgp can be figured out. Any 
>> kind of unique signature. Openpgp can be used in client to client chats, but 
>> MUCs dont support unique identifying through something like openpgp. Once you 
>> prove a users pgp fingerprint and add it to the room configuration you could 
>> identify the user easily. I am not sure about how to implement this though, 
>> not even sure if it would work. Doesnt seem that insane though imho
> And how many people use PGP? That's not a scalable system for real people.
> Peter
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Operators mailing list