[Standards] Account Management protoXEP
kevin at kismith.co.uk
Fri Nov 11 10:15:21 UTC 2011
Council discussed this in their meeting this week (as you'll have seen
from the forwarded minutes), and agreed not to publish as a XEP at the
The overriding concern is that the XSF does not have the expertise or
experience to define what Council believes to be a new security model.
Assuming that the server is not just open to subsequent compromise but
that it is entirely untrusted for handling of the user's account
credentials used to authenticate with the server is believed to be
novel and the risk of defining such a model ourselves, without
reference to the wider security community, is too great. This work
should be undertaken in another venue where such expertise is
available - the Kitten working group at the IETF has been suggested
(http://datatracker.ietf.org/wg/kitten/charter/). Once such models are
established, it would then be appropriate for the XSF to make use of
them in XEPs.
There were additional concerns that may not have blocked publication
as a XEP in isolation - mainly that some of the proposal seems to be
using stream features inappropriately for things that are not stream
features. The Council asked for community review on this point and
judged that the feedback from the community presented consensus that
this was not the right approach.
I think it would be worth looking at the aspects of the proposal
separately and breaking it down into work appropriate for different
venues and to seek the best approach for them before resubmission. Use
of SASL ANONYMOUS has been suggested by the community and seems to me
to be an appropriate approach for account registration stream setup.
At least one feature of the proposal (mandatory credential update) is
novel and interesting to develop further, I think.
More information about the Standards