On Feb 10, 2009, at 11:25 PM, Kevin Smith wrote:
On Tue, Feb 10, 2009 at 11:02 PM, Kurt Zeilenga <[email protected]
> wrote:
It seems not so sensible when the admin happens to be authenticating
directly to the server hosting the chatroom. But for the case
where the
administrator authenticates elsewhere, possibly to a server under
separate
administrative control, (to the extent that password protected
rooms are at
all sensible) it seems at least reasonable for a server to be
allowed to
require the administrator know the password.
If we assume secure s2s, it seems that requiring the muc owner know a
password only protects against a compromised (or maliciously adminned)
server where the user can be impersonated by the server admin. Given
that the muc password is sent in plaintext, a compromised server could
pull this out of the stream anyway, so does it buy us much to require
a password for the muc owner?
I'm thinking more about a non-comprised server case, but just the case
of poor administrative practices.
Say the owner's account was deleted by his site's admin, and then that
account name was reassigned to some other person. Now a different
person is in control of the owner's account. This person might know
or discover his account has ownership rights on various chatrooms and
abuse those rights.
So I wonder if the password mechanism might be a way of mitigating
risks associated with such administrative practices.
Server implementations can add features to deal with this problem with
both the owner and chat room are hosted on the same server, but I
don't know any way of deal well this in the remote case except by
authentication of owner to room.
Now one can argue that the password does nothing to specifically
authenticate the owner, so maybe the password doesn't well mitigate
the risk.
-- Kurt
