[Standards] Securing in-band registration
Peter.Waher at clayster.com
Mon Mar 17 16:04:27 UTC 2014
What methods of securing automatic XMPP account creation (in-band registration, XEP-0077) that can be used by machines are you aware of?
I've found XEP-0158. Even though it refers to CAPTCHA, it also has some other, not so secure, methods.
I'm looking for a solution that would work as follows:
* A manufacturer can create an account on the XMPP Server. This account would identify the manufacturer and/or the application, and have contact details for the person responsible for the account. The account holder would receive a shared secret.
* A device can use this shared secret (or API key) to identify the application during in-band registration, using a challenge/response method (perhaps similar to OAUTH), so the secret is not actually transmitted.
* Once the application has been verified, the in-band registration is granted.
* Any misuse can be controlled by the operator by revoking the shared secret of the application or the entire account.
Maintaining the shared secret inside the device would be a security issue of course, but that can be addressed.
Do you know of any such methods, or similar, available?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards