[standards-jig] JEP-0078 iq:auth change suggestion
iain at jivesoftware.com
Thu Jun 26 18:17:53 UTC 2003
In section 3.1 the original iq-get in iq:auth recommends "If there is
no such username, the server SHOULD NOT return an error, but instead
SHOULD return the normal authentication fields". This is good advice to
avoid hackers learning user accounts on the system.
However, some/most clients (Exodus for sure) relies on receiving a 401
error at the iq-get stage of iq:auth in order to automatically try to
register an account. Thus servers that follow this guidance will become
incompatible with the auto-registration features of clients. Since
jabberd1.4 implements it with a 401 on unknown accounts, I think we
should either add a note indicating this fact and the tradeoffs of
security versus compatibility in following this advice.
More information about the Standards