Hello What methods of securing automatic XMPP account creation (in-band registration, XEP-0077) that can be used by machines are you aware of?
I've found XEP-0158. Even though it refers to CAPTCHA, it also has some other, not so secure, methods. I'm looking for a solution that would work as follows: * A manufacturer can create an account on the XMPP Server. This account would identify the manufacturer and/or the application, and have contact details for the person responsible for the account. The account holder would receive a shared secret. * A device can use this shared secret (or API key) to identify the application during in-band registration, using a challenge/response method (perhaps similar to OAUTH), so the secret is not actually transmitted. * Once the application has been verified, the in-band registration is granted. * Any misuse can be controlled by the operator by revoking the shared secret of the application or the entire account. Maintaining the shared secret inside the device would be a security issue of course, but that can be addressed. Do you know of any such methods, or similar, available? Best regards, Peter Waher
