[Standards-JIG] proposed In-Band Registration revisions
vinod.p at gmail.com
Thu Dec 8 05:40:13 UTC 2005
On 12/8/05, Peter Saint-Andre <stpeter at jabber.org> wrote:
> Several implementors have mentioned to me before that they consider the
> password change and deregistration use cases in JEP-0077 to be insecure
> since the old password is not required in order to complete them. (What
> if someone uses your computer while you step away for a minute and
> changes your password?) Therefore I have added some optional protocol
> flows to JEP-0077, using Data Forms to require additional information
> before allowing a password change or deregistration. As with the
> JEP-0071 changes, these revisions are provisional and need to be
> approved by the Jabber Council.
> CVS Modifications:
> Rendered version: http://www.jabber.org/jeps/tmp/jep-0077-2.2.html
> Feedback is welcome as always.
Good to see the changes regarding requirement of old password before
any changes are done. What abt currently active sessions, though?
More information about the Standards