From 798400210d60a0f82e9c38d32c1e1b69769e8985 Mon Sep 17 00:00:00 2001 From: Guus der Kinderen Date: Fri, 5 Jan 2024 10:41:46 +0100 Subject: [PATCH 1/3] XEP-0133: Retract 'Get User Password' command Retrieving a password implies storage of plaintext passwords. That's no longer an acceptable practice. --- xep-0133.xml | 96 +++++----------------------------------------------- 1 file changed, 9 insertions(+), 87 deletions(-) diff --git a/xep-0133.xml b/xep-0133.xml index 4fadc78b..119d0faa 100644 --- a/xep-0133.xml +++ b/xep-0133.xml @@ -21,6 +21,12 @@ admin &stpeter; + + 1.3 + 2024-01-04 + gdk + Removed use case 'Get User Password', which violates best-practices with regard to security. + 1.2 2017-07-15 @@ -110,7 +116,7 @@
  • Disable User
  • Re-Enable User
  • End User Session
    • -
  • Get User Password
    • +
  • Get User Password (retracted)
  • Change User Password
  • Get User Roster
  • Get User Last Login Time
    • @@ -539,92 +545,8 @@ ]]> - -

    An administrator may need to retrieve a user's password. The command node for this use case SHOULD be "http://jabber.org/protocol/admin#get-user-password".

    -

    A sample protocol flow for this use case is shown below.

    - - - -]]> -

    Unless an error occurs (see the Error Handling section below), the service SHOULD return the appropriate form.

    - - - - Getting a User's Password - Fill out this form to get a user's password. - - http://jabber.org/protocol/admin - - - - - - - -]]> -

    Note: If the entity is an end user, the JID SHOULD be of the form <user@host>, not <user@host/resource>.

    - - - - - http://jabber.org/protocol/admin - - - juliet@shakespeare.lit - - - - -]]> -

    Naturally, the data form included in the IQ result will include the user's password.

    - - - - - http://jabber.org/protocol/admin - - - juliet@shakespeare.lit - - - R0m30 - - - - -]]> + +

    Up to and including revision 1.2 of this XEP, this section defined a command that could be used to retrieve a user's password. This implies that the implementation stores plaintext passwords, a practise that is a well-documented vulnerabilityOWASP: Password Plaintext Storage <https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage>. This command has therefore been retracted from this XEP. To retain section numbering, this text replaces the command definition that previously existed in this section.

    An administrator may need to change a user's password. The command node for this use case SHOULD be "http://jabber.org/protocol/admin#change-user-password".

    From 5b55aad8818f733ea5204835b13606114911f039 Mon Sep 17 00:00:00 2001 From: Guus der Kinderen Date: Fri, 5 Jan 2024 10:50:11 +0100 Subject: [PATCH 2/3] XEP-0133: Add 'Approver' to header --- xep-0133.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/xep-0133.xml b/xep-0133.xml index 119d0faa..ed8fbbd4 100644 --- a/xep-0133.xml +++ b/xep-0133.xml @@ -13,6 +13,7 @@ Active Informational Standards + Council RFC 6120 XEP-0050 From ca9b96e8a2fba1c1b83523b418d5dab1b3c253f3 Mon Sep 17 00:00:00 2001 From: Kevin Smith Date: Mon, 22 Jan 2024 14:19:45 +0000 Subject: [PATCH 3/3] Update xep-0133.xml version Change version to make tools happy --- xep-0133.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0133.xml b/xep-0133.xml index ed8fbbd4..1051ce69 100644 --- a/xep-0133.xml +++ b/xep-0133.xml @@ -23,7 +23,7 @@ admin &stpeter; - 1.3 + 1.3.0 2024-01-04 gdk Removed use case 'Get User Password', which violates best-practices with regard to security.