[Standards] Account Management protoXEP

Dave Cridland dave at cridland.net
Wed Nov 9 15:55:44 UTC 2011


On Wed Nov  9 14:46:19 2011, Jehan Pagès wrote:
> > We can't do this here. It's not an impossible concept, but the  
> place to
> > define such a standards would be in the IETF's Kitten working  
> group, not
> > here. (In case anyone wonders, Kitten = "Son of Cat"; Cat =  
> "Common
> > Authentication Technologies".)
> >
> > If this were to happen, then (and only then) there's be a  
> compelling reason
> > for password changes to run through something different.
> 
> I don't really understand your remark. This is what and how this is
> implemented in SCRAM (indeed defined by the IETF in the Kitten  
> Working
> Group). SCRAM already allows this kind of features (never sending
> anything other than encrypted data over the wire, server never  
> having
> the actual password, etc.). This is actually what is based my XEP on
> and why I thought now was the right time for a change, as we passed  
> to
> SCRAM as a mandatory-to-implement technology.
> Note that the XEP being flexible, it won't give any issue to any  
> other
> server (even not using SCRAM), and I explain how to have something
> similar to XEP-0077 with the PLAIN storage, but at least gives
> security to all recent servers.

There exists no technology or framework for setting credentials in a  
uniform and flexible manner for multiple authentication mechanisms.

Your XEP appears to aim to design such a framework.

My position is that this kind of work should not happen in the XSF -  
we do not have the expertise.

So for this aspect of the proposal to happen, that needs work outside  
of the XSF that we can build on.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list