Hello Florian Yes, you can prevent mass-registration of non-human users using other mechanisms. The important part here is not to depracate the IBR method, but to build on it, if possible, in a pluggable manner. The CAPTCHA mechanism provided a start for how this can be done. But it not a good method to recommend, as dedicated robots today solve CAPTCHA problems quite successfully. (And the method selected should not rely on web technologies either, but should be work using XMPP alone.) In XEP-0348 I propose a solution where the IBR registration form is signed using secret credentials, without revealing the credentials, in a secure manner using a signature method that has been around for a while (OAUTH). This makes it possible for trusted parties (manufacturer, software provider, device make/model etc.) to automatically create accounts, either freely or in batches of a specified amount on specific servers. You could also improve on this, by making the the signature method pluggable, for instance using Dynamic Forms (XEP-0336). This means, you can provide a mechanism (as the one proposed in XEP-0348) for things that have no human users, and another method that can be used by humanly operated clients (like reCAPTCHA or something similar), where you don't want to build in credentials into the firmware. In this way, you could create a solution that does not limit it to one specific signature method, but that has a pluggable (SASL-like) method, that can be used on-top of an already established technology, such as IBR that is widely supported already. Best regards, Peter Waher > > On 15.11.2015 17:18, Peter Waher wrote: > > Hello Florian > > > > XEP-0158 is not a good idea for Three reasons: First, CAPTCHA is no > > longer deemed a secure protection against bots (see Google's reCAPTCHA). > > Secondly, it doesn't solve the problem of IoT, with things not operated > > by humans. Thirdly, you don't want clients to have to implement support > > for other protocols, such as HTTP, to fetch images (or audio/video), > > which will make the solution impractical (or even impossible) on devices > > with limited Resources. > > Not if the goal is to prevent mass registration of non-human users. Some > captcha like mechanisms still hold strong against automated registrations. > > Your IoT case is different. You have non-human XMPP clients. The > question now is: How to distinguish "bad" clients from "good" ones > trying to register. If I where to design an approach how those clients > register an account with an XMPP server, then I would simply make the > client require a secret token for registration. And this can already be > done with XEP-0077. > > Or what is your idea how it should work? > > - Florian
