[Standards-JIG] proposed In-Band Registration revisions

Vinod Panicker vinod.p at gmail.com
Thu Dec 8 05:40:13 UTC 2005


On 12/8/05, Peter Saint-Andre <stpeter at jabber.org> wrote:
> Several implementors have mentioned to me before that they consider the
> password change and deregistration use cases in JEP-0077 to be insecure
> since the old password is not required in order to complete them. (What
> if someone uses your computer while you step away for a minute and
> changes your password?) Therefore I have added some optional protocol
> flows to JEP-0077, using Data Forms to require additional information
> before allowing a password change or deregistration. As with the
> JEP-0071 changes, these revisions are provisional and need to be
> approved by the Jabber Council.
>
> CVS Modifications:
> http://jabberstudio.org/cgi-bin/viewcvs.cgi/cvs/jeps/0077/jep-0077.xml?r1=1.48&r2=1.49
>
> Rendered version: http://www.jabber.org/jeps/tmp/jep-0077-2.2.html
>
> Feedback is welcome as always.

Good to see the changes regarding requirement of old password before
any changes are done.  What abt currently active sessions, though?

http://mail.jabber.org/pipermail/standards-jig/2005-November/009215.html

Regards,
Vinod.



More information about the Standards mailing list