[Standards] Password protected rooms

Kurt Zeilenga Kurt.Zeilenga at isode.com
Wed Feb 11 12:58:01 UTC 2009


On Feb 10, 2009, at 11:25 PM, Kevin Smith wrote:

> On Tue, Feb 10, 2009 at 11:02 PM, Kurt Zeilenga <Kurt.Zeilenga at isode.com 
> > wrote:
>> It seems not so sensible when the admin happens to be authenticating
>> directly to the server hosting the chatroom.  But for the case  
>> where the
>> administrator authenticates elsewhere, possibly to a server under  
>> separate
>> administrative control, (to the extent that password protected  
>> rooms are at
>> all sensible) it seems at least reasonable for a server to be  
>> allowed to
>> require the administrator know the password.
>
> If we assume secure s2s, it seems that requiring the muc owner know a
> password only protects against a compromised (or maliciously adminned)
> server where the user can be impersonated by the server admin. Given
> that the muc password is sent in plaintext, a compromised server could
> pull this out of the stream anyway, so does it buy us much to require
> a password for the muc owner?

I'm thinking more about a non-comprised server case, but just the case  
of poor administrative practices.

Say the owner's account was deleted by his site's admin, and then that  
account name was reassigned to some other person.  Now a different  
person is in control of the owner's account.  This person might know  
or discover his account has ownership rights on various chatrooms and  
abuse those rights.

So I wonder if the password mechanism might be a way of mitigating  
risks associated with such administrative practices.

Server implementations can add features to deal with this problem with  
both the owner and chat room are hosted on the same server, but I  
don't know any way of deal well this in the remote case except by  
authentication of owner to room.

Now one can argue that the password does nothing to specifically  
authenticate the owner, so maybe the password doesn't well mitigate  
the risk.

-- Kurt



More information about the Standards mailing list