[Standards] Account Management protoXEP

Dave Cridland dave at cridland.net
Wed Sep 21 15:53:10 UTC 2011


The intent of this is good; something providing similar capabilities  
to XEP-0077, but in a  consistent manner, seems like a good and  
useful thing to be working on.

However, I don't think this is the right approach, to the extent that  
I don't think this is fixable. Addressing the issues that have been  
raised in Council would mean a complete rewrite of the spec, so at  
this stage I think it would be easier - if there is will to replace  
XEP-0077 at all - to write a new XEP. So I'll phrase my feedback as a  
counter-proposal.

The majority of account management - save for registration itself -  
can be done as inline <iq/>s to the server, or some entity which the  
server effectively delegates to. This makes sense - we might, for  
example, use a component which interfaces in some more direct manner  
with Active Directory, for example.

The server will always need your plaintext password, for a number of  
reasons, but most obviously enforcing password policy. Any attempt to  
avoid clients passing the password in clear to the server should not  
be worked on in this forum - we simply don't have the expertise.

Registration does indeed pose a problem - I see three strategies for  
dealing with it:

a) We avoid the issue entirely. This is probably the sensible option  
- it's conceptually distinct from other areas of account management  
in any case.

b) We use stream features or pre-auth IQ. Neither are, to my mind,  
terribly palatable.

c) We use anonymous authentication to the server (or its delegated  
account management service) and then use fairly ordinary <iq/>s. This  
seems to fit neatly into the design of XMPP.

For both account management and registration, using the ad-hoc  
framework seems most sensible - it would allow us maximum flexibility  
as well as near-instant deployment.

If this seems like a good starting point, then I'm perfectly happy to  
write this up, and equally happy if someone else wants to.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list