[Standards] Account Management protoXEP
dave at cridland.net
Wed Nov 9 15:55:44 UTC 2011
On Wed Nov 9 14:46:19 2011, Jehan Pagès wrote:
> > We can't do this here. It's not an impossible concept, but the
> place to
> > define such a standards would be in the IETF's Kitten working
> group, not
> > here. (In case anyone wonders, Kitten = "Son of Cat"; Cat =
> > Authentication Technologies".)
> > If this were to happen, then (and only then) there's be a
> compelling reason
> > for password changes to run through something different.
> I don't really understand your remark. This is what and how this is
> implemented in SCRAM (indeed defined by the IETF in the Kitten
> Group). SCRAM already allows this kind of features (never sending
> anything other than encrypted data over the wire, server never
> the actual password, etc.). This is actually what is based my XEP on
> and why I thought now was the right time for a change, as we passed
> SCRAM as a mandatory-to-implement technology.
> Note that the XEP being flexible, it won't give any issue to any
> server (even not using SCRAM), and I explain how to have something
> similar to XEP-0077 with the PLAIN storage, but at least gives
> security to all recent servers.
There exists no technology or framework for setting credentials in a
uniform and flexible manner for multiple authentication mechanisms.
Your XEP appears to aim to design such a framework.
My position is that this kind of work should not happen in the XSF -
we do not have the expertise.
So for this aspect of the proposal to happen, that needs work outside
of the XSF that we can build on.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards