stpeter at jabber.org
Mon Jan 22 17:05:44 UTC 2007
Ian Paterson wrote:
> Servers should never know users' passwords unless that is absolutely
> necessary. Unfortunately XEP-0077 (Registration) currently encourages
> clients to send the user's password to the server!
> [You are probably aware that: With SASL auth the server does not need to
> know the user's password, only an MD5 password digest (that is unique to
> the host machine) is necessary. So even if the digest stored by the
> server becomes known to a third party it can't be used to access
> accounts on _other_ (non-IM) servers for which the user has chosen the
> same password (something almost everyone does). Unfortunately XEP-0077
> predates the adoption of SASL and therefore does not provide for this
> important security feature.]
> IMO new 'digest-md5' and 'old_digest-md5' fields should be added to the
> FORM_TYPEs defined in XEP-0077. The value of the fields would be:
> MD5(username | ":" | domain | ":" | password). And (now that non-SASL
> auth has been depricated) the use of the <password/> element, and the
> 'password' and 'old_password' fields should be depricated.
> Deprication may not be possible since XEP-0077 has been 'Final' for some
> time. So perhaps we need a new XEP, very similar to XEP-0077, including
> x:data forms, but without the child elements (<password/>, <username/>
Yes, moving to pure data forms for in-band registration seems like the
right way to go. I think we can do that in XEP-0077 -- if we were to do
a new spec, I think we would also define a new namespace. Though perhaps
that's not a bad idea anyway...
> In any case, IMHO we should depricate <password/> ASAP.
> - Ian
> P.S. there is a typo in the <name> element in section 12.4.3 of XEP-0077
XMPP Standards Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards