On 16 November 2015 at 14:34, Peter Waher <[email protected]> wrote: > Hello Florian > > Yes, you can prevent mass-registration of non-human users using other > mechanisms. The important part here is not to depracate the IBR method, but > to build on it, if possible, in a pluggable manner. The CAPTCHA mechanism > provided a start for how this can be done. But it not a good method to > recommend, as dedicated robots today solve CAPTCHA problems quite > successfully. (And the method selected should not rely on web technologies > either, but should be work using XMPP alone.)
Yes, possibly. > In XEP-0348 I propose a solution where the IBR registration form is signed > using secret credentials, without revealing the credentials, in a secure > manner using a signature method that has been around for a while (OAUTH). > This makes it possible for trusted parties (manufacturer, software provider, > device make/model etc.) to automatically create accounts, either freely or > in batches of a specified amount on specific servers. You could also improve > on this, by making the the signature method pluggable, for instance using > Dynamic Forms (XEP-0336). This means, you can provide a mechanism (as the > one proposed in XEP-0348) for things that have no human users, and another > method that can be used by humanly operated clients (like reCAPTCHA or > something similar), where you don't want to build in credentials into the > firmware. In this way, you could create a solution that does not limit it to > one specific signature method, but that has a pluggable (SASL-like) method, > that can be used on-top of an already established technology, such as IBR > that is widely supported already. Yes, possibly. To reiterate my point, these things are per-deployment considerations. Some deployments are for human users, some are for machines. They need to be handled differently. What the XSF needs to provide is a protocol that can be successfully used for both. I believe XEP-0077 caters for (by being extensible) every case of wanting to register with a server. It's also not mandatory for servers to implement or enable it. This list also sometimes tends towards discussion about the IM network, which may well want to discourage use of (or just certain configurations of) XEP-0077. I understand that open registration is a problem on the federated network, but it's not a protocol issue and XEP-0077 as a protocol should not be deprecated. Personally (and off-topically) I really think we do need some meta organisation that is more network-focused than standards-focused. Similar to xmpp.net's old vision. Regards, Matthew
