[Standards] Proposed XMPP Extension: Pre-Authenticated In-Band Registration
dave at cridland.net
Tue Nov 3 21:51:46 UTC 2020
On Tue, 3 Nov 2020 at 15:59, XEP Editor Pipeline <
xep-editor-pipeline at zombofant.net> wrote:
> The XMPP Extensions Editor has received a proposal for a new XEP.
> Title: Pre-Authenticated In-Band Registration
> This document extends the In-Band-Registration protocol to use
> invitation tokens, e.g. for registering accounts on non-public
> URL: https://xmpp.org/extensions/inbox/ibr-token.html
This is a very comprehensively written XEP for an initial submission.
My main concern here is the addition of a further IQ during unauthenticated
state. In the case of every server I've worked with, the IBR (and '78 auth,
if supported) is hard-coded into the server. This generally feels like a
security nightmare lurking.
I would rather move in the other direction, and place the entirety of
registration inside non-stanza TLEs or (possibly) opting for a
registration-only authentication before exchanging stanzas.
Also, this namespace happens to be the same as XEP-0379, which is a trivial
fix (but, I think, blocking).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards