[Standards] XEP-0077

Peter Saint-Andre stpeter at jabber.org
Mon Jan 22 17:05:44 UTC 2007

Ian Paterson wrote:
> Servers should never know users' passwords unless that is absolutely 
> necessary. Unfortunately XEP-0077 (Registration) currently encourages 
> clients to send the user's password to the server!
> [You are probably aware that: With SASL auth the server does not need to 
> know the user's password, only an MD5 password digest (that is unique to 
> the host machine) is necessary. So even if the digest stored by the 
> server becomes known to a third party it can't be used to access 
> accounts on _other_ (non-IM) servers for which the user has chosen the 
> same password (something almost everyone does). Unfortunately XEP-0077 
> predates the adoption of SASL and therefore does not provide for this 
> important security feature.]
> IMO new 'digest-md5' and 'old_digest-md5' fields should be added to the 
> FORM_TYPEs defined in XEP-0077. The value of the fields would be: 
> MD5(username | ":" | domain | ":" | password). And (now that non-SASL 
> auth has been depricated) the use of the <password/> element, and the 
> 'password' and 'old_password' fields should be depricated.
> Deprication may not be possible since XEP-0077 has been 'Final' for some 
> time. So perhaps we need a new XEP, very similar to XEP-0077, including 
> x:data forms, but without the child elements (<password/>, <username/> 
> etc.).

Yes, moving to pure data forms for in-band registration seems like the 
right way to go. I think we can do that in XEP-0077 -- if we were to do 
a new spec, I think we would also define a new namespace. Though perhaps 
that's not a bad idea anyway...

> In any case, IMHO we should depricate <password/> ASAP.
> - Ian
> P.S. there is a typo in the <name> element in section 12.4.3 of XEP-0077

Yes, fixed.


Peter Saint-Andre
XMPP Standards Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070122/6c732469/attachment.bin>

More information about the Standards mailing list