On Tue, 3 Nov 2020 at 15:59, XEP Editor Pipeline < [email protected]> wrote:
> The XMPP Extensions Editor has received a proposal for a new XEP. > > Title: Pre-Authenticated In-Band Registration > Abstract: > This document extends the In-Band-Registration protocol to use > invitation tokens, e.g. for registering accounts on non-public > servers. > > URL: https://xmpp.org/extensions/inbox/ibr-token.html This is a very comprehensively written XEP for an initial submission. My main concern here is the addition of a further IQ during unauthenticated state. In the case of every server I've worked with, the IBR (and '78 auth, if supported) is hard-coded into the server. This generally feels like a security nightmare lurking. I would rather move in the other direction, and place the entirety of registration inside non-stanza TLEs or (possibly) opting for a registration-only authentication before exchanging stanzas. Also, this namespace happens to be the same as XEP-0379, which is a trivial fix (but, I think, blocking). Dave.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
