[Standards] Proposed XMPP Extension: Pre-Authenticated In-Band Registration

Dave Cridland dave at cridland.net
Tue Nov 3 21:51:46 UTC 2020

On Tue, 3 Nov 2020 at 15:59, XEP Editor Pipeline <
xep-editor-pipeline at zombofant.net> wrote:

> The XMPP Extensions Editor has received a proposal for a new XEP.
> Title: Pre-Authenticated In-Band Registration
> Abstract:
> This document extends the In-Band-Registration protocol to use
> invitation tokens, e.g. for registering accounts on non-public
> servers.
> URL: https://xmpp.org/extensions/inbox/ibr-token.html

This is a very comprehensively written XEP for an initial submission.

My main concern here is the addition of a further IQ during unauthenticated
state. In the case of every server I've worked with, the IBR (and '78 auth,
if supported) is hard-coded into the server. This generally feels like a
security nightmare lurking.

I would rather move in the other direction, and place the entirety of
registration inside non-stanza TLEs or (possibly) opting for a
registration-only authentication before exchanging stanzas.

Also, this namespace happens to be the same as XEP-0379, which is a trivial
fix (but, I think, blocking).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20201103/5c74a880/attachment.html>

More information about the Standards mailing list