[Standards] [standards] Changes to XEP-0077: In-Band Registration

Tomasz Sterna tomek at xiaoka.com
Sun Jul 10 21:46:31 UTC 2016

W dniu 08.07.2016, pią o godzinie 17∶28 +0530, użytkownik vaibhav singh
> XMPP XEP's. In Band registration was something that caught my eye, as
> the XEP itself said that it is utterly insecure and recommended
> people not to use it.

I don't see that wording in XEP. You are probably misinterpretting:

"11. Security Considerations
[...] The registration methods defined herein are known to be insecure
and SHOULD NOT be used unless the channel between the registrant and
the entity that accepts registration has been secured."

This only means that the channel (i.e. TCP connection) you are doing
in-band registration has to be secured (i.e. TLS encrypted).

> 1.) Is there anything else people can use in XMPP to bootstrap users
> quickly, apart from in-band registration?

out-of-band registration.
For example
- a web based registration form that creates XMPP account
- integrating XMPP accounts with some other system accounts

See "5. Redirection" [1] for a way of redirecting IBR user to other
system for registration.

> 2.) If in-band registration is so insecure, and (from the looks of
> it) so important (atleast a really good feature to have) why are
> there no alternative work flows people can use?

IBR is by design extensible [2] so there is no need for competing

[1] http://xmpp.org/extensions/xep-0077.html#redirect
[2] http://xmpp.org/extensions/xep-0077.html#extensibility

(_<^' If you are too busy to read, then you are too busy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160710/ca14c3f4/attachment.sig>

More information about the Standards mailing list