> On 11 Nov 2015, at 11:42, Georg Lukas <[email protected]> wrote: > > * Dave Cridland <[email protected]> [2015-11-11 08:58]: >>> What do you suggest to replace it with? >> [...] we need, I think, a mechanism which takes a potential new user >> through new account creation, and helps in configuring their client, >> and ideally works across multiple servers. > > I actually like Dave's suggestion from the other thread, to disallow > message sending from untrusted users. What about the following approach: > > 1. User registers with IBR > 2. User sends message > 3. Server (local or remote) flags user as potential spammer > 4. Server stores undelivered message, gives the user a captcha to solve > (via a HTTP(S) link) > 5. User solves captcha > 6. Server forwards/delivers messages
It would be great if this was more generic and so could be used for other out-of-band account verification techniques? So the user can sign up, but their account is disabled until they have verified their identity via e.g. email, SMS, Google, Facebook, etc. But there is some standardised way of saying to the client “You need to verify your account via another means”. Maybe the server supplies a token out-of-band (e.g. by SMS) and allows that to be posted via XMPP, or by does the whole verification out-of-band (e.g. clicking a link in an email) and then the server notifies the client via XMPP that the account is now verified and active. — Ash
