[Standards] XEP-0077

Ian Paterson ian.paterson at clientside.co.uk
Mon Jan 22 14:11:43 UTC 2007


Servers should never know users' passwords unless that is absolutely 
necessary. Unfortunately XEP-0077 (Registration) currently encourages 
clients to send the user's password to the server!

[You are probably aware that: With SASL auth the server does not need to 
know the user's password, only an MD5 password digest (that is unique to 
the host machine) is necessary. So even if the digest stored by the 
server becomes known to a third party it can't be used to access 
accounts on _other_ (non-IM) servers for which the user has chosen the 
same password (something almost everyone does). Unfortunately XEP-0077 
predates the adoption of SASL and therefore does not provide for this 
important security feature.]

IMO new 'digest-md5' and 'old_digest-md5' fields should be added to the 
FORM_TYPEs defined in XEP-0077. The value of the fields would be: 
MD5(username | ":" | domain | ":" | password). And (now that non-SASL 
auth has been depricated) the use of the <password/> element, and the 
'password' and 'old_password' fields should be depricated.

Deprication may not be possible since XEP-0077 has been 'Final' for some 
time. So perhaps we need a new XEP, very similar to XEP-0077, including 
x:data forms, but without the child elements (<password/>, <username/> 
etc.).

In any case, IMHO we should depricate <password/> ASAP.

- Ian

P.S. there is a typo in the <name> element in section 12.4.3 of XEP-0077




More information about the Standards mailing list