[standards-jig] JEP-0078 iq:auth change suggestion

Iain Shigeoka iain at jivesoftware.com
Thu Jun 26 18:17:53 UTC 2003


Hi,

In section 3.1 the original iq-get in iq:auth recommends "If there is 
no such username, the server SHOULD NOT return an error, but instead 
SHOULD return the normal authentication fields". This is good advice to 
avoid hackers learning user accounts on the system.

However, some/most clients (Exodus for sure) relies on receiving a 401 
error at the iq-get stage of iq:auth in order to automatically try to 
register an account. Thus servers that follow this guidance will become 
incompatible with the auto-registration features of clients. Since 
jabberd1.4 implements it with a 401 on unknown accounts, I think we 
should either add a note indicating this fact and the tradeoffs of 
security versus compatibility in following this advice.

Thoughts?

-iain




More information about the Standards mailing list