On Wed Nov 9 13:52:06 2011, Jehan Pagès wrote:
Re-reading a little this topic before passing to council vote, I add
my voice to this point too! That's another good reason why ad-hoc
commands are probably not adapted. The more I think about it, the
less
I think ad-hoc fits password modification (or account creation).
Ad-hoc is a great feature but is too generic for being secure (in
its
current state in particular, but in general too) and credentials are
typically a part of the protocol which needs special care
I'd be willing to entertain this, except that account registration in
particular is highly variable from site to site.
For changing passwords, on the other hand, I don't see a need to
change from XEP-0077.
(not showing
the password in the GUI for anyone overseeing over the user's
shoulder; specific processing and encryption before passing through
the wire from client to server; never be actually known, if possible
like for SCRAM, not even to the user's server, because users tend to
have the bad habit of using the same password everywhere, etc.).
We can't do this here. It's not an impossible concept, but the place
to define such a standards would be in the IETF's Kitten working
group, not here. (In case anyone wonders, Kitten = "Son of Cat"; Cat
= "Common Authentication Technologies".)
If this were to happen, then (and only then) there's be a compelling
reason for password changes to run through something different.
I really think we need a specific protocol. I am ready to accept a
lot
of remarks and edit the XEP, we can discuss how to improve and
simplify/secure/enhance/modify the protocol accordingly, or even
divide whole part of the XEP if really needed (for instance some
people wondered whether we should not split registration and
management part; I could make 2 XEPs for this). But let's have a
secure approach and not stay in our current "all in plain text,
without any precaution nor specific GUI" approach.
Registration I think has to be highly flexible, and that to me
suggests a well-known ad-hoc command.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
