Back in January Ian Paterson argued that we need to make in-band registration more secure:
http://mail.jabber.org/pipermail/standards/2007-January/013563.html And I agree: http://mail.jabber.org/pipermail/standards/2007-January/013566.html Ian recently brought up the issue again on the Council list: http://mail.jabber.org/pipermail/council/2007-July/002161.html So yes we need to better secure how we do in-band registration with servers (I care less about registration with services like MUC rooms and transports). Right now it is way too easy to create a botnet that registers lots of new users at various open servers and then starts spamming existing Jabber users. Part of the solution is requiring x:data forms for registration. Yes, as Matthias pointed out this will make life difficult for existing clients. So we need to define a transition strategy. Clearly define how the x:data-only registration works and set some goals for deprecating the old way of doing things. Part of the solution is also XEP-0158: http://www.xmpp.org/extensions/xep-0158.html If we support media-in-forms (e.g. CAPTCHAs) we may have even stronger weapons. See XEP-0221 for the media element definition (recently moved from XEP-0158). Peter
smime.p7s
Description: S/MIME Cryptographic Signature
