Hello
What methods of securing automatic XMPP account creation (in-band registration,
XEP-0077) that can be used by machines are you aware of?
I've found XEP-0158. Even though it refers to CAPTCHA, it also has some other,
not so secure, methods.
I'm looking for a solution that would work as follows:
* A manufacturer can create an account on the XMPP Server. This account
would identify the manufacturer and/or the application, and have contact
details for the person responsible for the account. The account holder would
receive a shared secret.
* A device can use this shared secret (or API key) to identify the
application during in-band registration, using a challenge/response method
(perhaps similar to OAUTH), so the secret is not actually transmitted.
* Once the application has been verified, the in-band registration is
granted.
* Any misuse can be controlled by the operator by revoking the shared
secret of the application or the entire account.
Maintaining the shared secret inside the device would be a security issue of
course, but that can be addressed.
Do you know of any such methods, or similar, available?
Best regards,
Peter Waher
