[Standards] Securing in-band registration

Peter Waher Peter.Waher at clayster.com
Mon Mar 17 16:04:27 UTC 2014


What methods of securing automatic XMPP account creation (in-band registration, XEP-0077) that can be used by machines are you aware of?

I've found XEP-0158. Even though it refers to CAPTCHA, it also has some other, not so secure, methods.

I'm looking for a solution that would work as follows:

*         A manufacturer can create an account on the XMPP Server. This account would identify the manufacturer and/or the application, and have contact details for the person responsible for the account. The account holder would receive a shared secret.

*         A device can use this shared secret (or API key) to identify the application during in-band registration, using a challenge/response method (perhaps similar to OAUTH), so the secret is not actually transmitted.

*         Once the application has been verified, the in-band registration is granted.

*         Any misuse can be controlled by the operator by revoking the shared secret of the application or the entire account.

Maintaining the shared secret inside the device would be a security issue of course, but that can be addressed.

Do you know of any such methods, or similar, available?

Best regards,
Peter Waher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20140317/a904c929/attachment.html>

More information about the Standards mailing list