Hello Florian
Yes, you can prevent mass-registration of non-human users using other
mechanisms. The important part here is not to depracate the IBR method, but to
build on it, if possible, in a pluggable manner. The CAPTCHA mechanism provided
a start for how this can be done. But it not a good method to recommend, as
dedicated robots today solve CAPTCHA problems quite successfully. (And the
method selected should not rely on web technologies either, but should be work
using XMPP alone.)
In XEP-0348 I propose a solution where the IBR registration form is signed
using secret credentials, without revealing the credentials, in a secure manner
using a signature method that has been around for a while (OAUTH). This makes
it possible for trusted parties (manufacturer, software provider, device
make/model etc.) to automatically create accounts, either freely or in batches
of a specified amount on specific servers. You could also improve on this, by
making the the signature method pluggable, for instance using Dynamic Forms
(XEP-0336). This means, you can provide a mechanism (as the one proposed in
XEP-0348) for things that have no human users, and another method that can be
used by humanly operated clients (like reCAPTCHA or something similar), where
you don't want to build in credentials into the firmware. In this way, you
could create a solution that does not limit it to one specific signature
method, but that has a pluggable (SASL-like) method, that can be used on-top of
an already established technology, such as IBR that is widely supported already.
Best regards,
Peter Waher
>
> On 15.11.2015 17:18, Peter Waher wrote:
> > Hello Florian
> >
> > XEP-0158 is not a good idea for Three reasons: First, CAPTCHA is no
> > longer deemed a secure protection against bots (see Google's reCAPTCHA).
> > Secondly, it doesn't solve the problem of IoT, with things not operated
> > by humans. Thirdly, you don't want clients to have to implement support
> > for other protocols, such as HTTP, to fetch images (or audio/video),
> > which will make the solution impractical (or even impossible) on devices
> > with limited Resources.
>
> Not if the goal is to prevent mass registration of non-human users. Some
> captcha like mechanisms still hold strong against automated registrations.
>
> Your IoT case is different. You have non-human XMPP clients. The
> question now is: How to distinguish "bad" clients from "good" ones
> trying to register. If I where to design an approach how those clients
> register an account with an XMPP server, then I would simply make the
> client require a secret token for registration. And this can already be
> done with XEP-0077.
>
> Or what is your idea how it should work?
>
> - Florian