-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Peter Saint-Andre schrieb: > On 12/10/09 5:21 PM, Mihael Pranjić wrote: >> Am Freitag, 11. Dezember 2009 01:03:51 schrieben Sie: >>> On 12/10/09 4:55 PM, Jonathan Schleifer wrote: >>>> Am 10.12.2009 um 23:50 schrieb Mihael Pranjić: >>>>> It clearly does sound like a sane idea. This would solve the problem >>>>> of having >>>>> multiple users use the same JID after it was deleted. But think of >>>>> jabber accounts that were created, used for short time and then left >>>>> lying aroung on >>>>> the server. This includes unnecessarily created accounts and so on. >>>>> However it >>>>> is defined, on most public services there are many jabber accounts >>>>> just lying >>>>> around, unused. This makes it impossible for someone who would really >>>>> like to >>>>> use the same JID to register it, as he does not have the email adress. >>>>> >>>>> In short there wont be two different people using the same jabber >>>>> account, >>>>> regardless of the fact that there may be "garbage" accounts that are not >>>>> really used. This makes it impossible tot get the jid, even for the >>>>> people who >>>>> would really use it. >>>>> >>>>> Captcha could prevent an amount of "garbage" accounts, but is not 100% >>>>> proof. >>>>> Anyone can still create accounts and not use them. >>>> Well, you could make a difference between accounts that have been used >>>> for a while and accounts that have been registered but never used. For >>>> example, if the user never logged in two weeks after it has been >>>> created, it is unlikely that the account has ever been used properly - >>>> in this case, I guess it is safe to remove it, as I don't think someone >>>> who just registered account will get important privileges anywhere. >>> Says who? >>> >>> I tell all the people who matter that I'm creating a new account because >>> I'm tired of having 2400 people in my roster at the old account, on day >>> one I become a room owner for a bunch of chatrooms, then I go offline >>> for a two-week vacation. I come home and my account is gone. What gives? >>> >>> Look, we can spin out weird scenarios all day. >>> >>> Peter >> Yeah we can, but going through some scenarios can show up security issues >> related to this. If the discussion is not welcome we can stop *LOL* >> If no one thinks this is a topic that should be discussed we can just close >> it. > > Discussion is good, but I don't think we're making any progress here. > > In any case I'll think about this for the jabber.org service, but we > have more pressing issues to work on right now. If you logged in to become a room owner you're account wouldn't get removed according to his statement, though. "[...] and accounts that have been registered but never used. For example, if the user never logged in two weeks [...]" Removing accounts that haven't been used /at all/ for two weeks since registration shouldn't raise any security issues even if re-registering is allowed? /Flo > >> In my opinion though this issue comes with XMPP and it wont go away. Its >> related to its design. You just can not identify someone 100%. This is the >> same with email too. Maybe something with/like openpgp can be figured out. >> Any >> kind of unique signature. Openpgp can be used in client to client chats, but >> MUCs dont support unique identifying through something like openpgp. Once >> you >> prove a users pgp fingerprint and add it to the room configuration you could >> identify the user easily. I am not sure about how to implement this though, >> not even sure if it would work. Doesnt seem that insane though imho > > And how many people use PGP? That's not a scalable system for real people. > > Peter > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksimvsACgkQaeqoWtiIdZJv1QCeI9EOBmdCwsXqRaZ36rAq0aEz 7oAAnjYM7oSmLcKZph+tseJ8sUM3hyuP =syr2 -----END PGP SIGNATURE-----
