Council discussed this in their meeting this week (as you'll have seen from the forwarded minutes), and agreed not to publish as a XEP at the moment.
The overriding concern is that the XSF does not have the expertise or experience to define what Council believes to be a new security model. Assuming that the server is not just open to subsequent compromise but that it is entirely untrusted for handling of the user's account credentials used to authenticate with the server is believed to be novel and the risk of defining such a model ourselves, without reference to the wider security community, is too great. This work should be undertaken in another venue where such expertise is available - the Kitten working group at the IETF has been suggested (http://datatracker.ietf.org/wg/kitten/charter/). Once such models are established, it would then be appropriate for the XSF to make use of them in XEPs. There were additional concerns that may not have blocked publication as a XEP in isolation - mainly that some of the proposal seems to be using stream features inappropriately for things that are not stream features. The Council asked for community review on this point and judged that the feedback from the community presented consensus that this was not the right approach. I think it would be worth looking at the aspects of the proposal separately and breaking it down into work appropriate for different venues and to seek the best approach for them before resubmission. Use of SASL ANONYMOUS has been suggested by the community and seems to me to be an appropriate approach for account registration stream setup. At least one feature of the proposal (mandatory credential update) is novel and interesting to develop further, I think. /K
