The intent of this is good; something providing similar capabilities
to XEP-0077, but in a consistent manner, seems like a good and
useful thing to be working on.
However, I don't think this is the right approach, to the extent that
I don't think this is fixable. Addressing the issues that have been
raised in Council would mean a complete rewrite of the spec, so at
this stage I think it would be easier - if there is will to replace
XEP-0077 at all - to write a new XEP. So I'll phrase my feedback as a
counter-proposal.
The majority of account management - save for registration itself -
can be done as inline <iq/>s to the server, or some entity which the
server effectively delegates to. This makes sense - we might, for
example, use a component which interfaces in some more direct manner
with Active Directory, for example.
The server will always need your plaintext password, for a number of
reasons, but most obviously enforcing password policy. Any attempt to
avoid clients passing the password in clear to the server should not
be worked on in this forum - we simply don't have the expertise.
Registration does indeed pose a problem - I see three strategies for
dealing with it:
a) We avoid the issue entirely. This is probably the sensible option
- it's conceptually distinct from other areas of account management
in any case.
b) We use stream features or pre-auth IQ. Neither are, to my mind,
terribly palatable.
c) We use anonymous authentication to the server (or its delegated
account management service) and then use fairly ordinary <iq/>s. This
seems to fit neatly into the design of XMPP.
For both account management and registration, using the ad-hoc
framework seems most sensible - it would allow us maximum flexibility
as well as near-instant deployment.
If this seems like a good starting point, then I'm perfectly happy to
write this up, and equally happy if someone else wants to.
Dave.
--
Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
