[Standards] Password protected rooms

Kevin Smith kevin at kismith.co.uk
Wed Feb 11 07:25:43 UTC 2009

On Tue, Feb 10, 2009 at 11:02 PM, Kurt Zeilenga <Kurt.Zeilenga at isode.com> wrote:
> It seems not so sensible when the admin happens to be authenticating
> directly to the server hosting the chatroom.  But for the case where the
> administrator authenticates elsewhere, possibly to a server under separate
> administrative control, (to the extent that password protected rooms are at
> all sensible) it seems at least reasonable for a server to be allowed to
> require the administrator know the password.

If we assume secure s2s, it seems that requiring the muc owner know a
password only protects against a compromised (or maliciously adminned)
server where the user can be impersonated by the server admin. Given
that the muc password is sent in plaintext, a compromised server could
pull this out of the stream anyway, so does it buy us much to require
a password for the muc owner?


More information about the Standards mailing list