[Standards] [standards] Changes to XEP-0077: In-Band Registration
tomek at xiaoka.com
Sun Jul 10 21:46:31 UTC 2016
W dniu 08.07.2016, pią o godzinie 17∶28 +0530, użytkownik vaibhav singh
> XMPP XEP's. In Band registration was something that caught my eye, as
> the XEP itself said that it is utterly insecure and recommended
> people not to use it.
I don't see that wording in XEP. You are probably misinterpretting:
"11. Security Considerations
[...] The registration methods defined herein are known to be insecure
and SHOULD NOT be used unless the channel between the registrant and
the entity that accepts registration has been secured."
This only means that the channel (i.e. TCP connection) you are doing
in-band registration has to be secured (i.e. TLS encrypted).
> 1.) Is there anything else people can use in XMPP to bootstrap users
> quickly, apart from in-band registration?
- a web based registration form that creates XMPP account
- integrating XMPP accounts with some other system accounts
See "5. Redirection"  for a way of redirecting IBR user to other
system for registration.
> 2.) If in-band registration is so insecure, and (from the looks of
> it) so important (atleast a really good feature to have) why are
> there no alternative work flows people can use?
IBR is by design extensible  so there is no need for competing
(_<^' If you are too busy to read, then you are too busy.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: This is a digitally signed message part
More information about the Standards