diff --git a/xep-0048.xml b/xep-0048.xml index 824bb9c2..be7213eb 100644 --- a/xep-0048.xml +++ b/xep-0048.xml @@ -33,8 +33,8 @@ &pgmillard; &stpeter; - 1.1pre4 - in progress, last updated 2007-10-18 + 1.1pre5 + in progress, last updated 2007-10-24 psa

For security reasons, actively discouraged use of the password element; specified use of publish-subscribe private information nodes as the preferred storage mechanism; cleaned up the text and examples.

 @@ -106,9 +106,9 @@ <password/> element - Unencrypted string for the password needed to enter a password-protected room. Use of this element is now deprecated for security reasons. + Unencrypted string for the password needed to enter a password-protected room. For security reasons, use of this element is NOT RECOMMENDED. string - DEPRECATED + NOT RECOMMENDED

Note: The datatypes are as defined in &w3xmlschema2;.

@@ -272,7 +272,7 @@

Security considerations related to object persistent via publish-subscribe are described in XEP-0060 and XEP-0223.

-

As noted, use of the <password/> child of the <conference/> element is deprecated and discouraged, since the password could be discovered by a third party, e.g. an eavedropper (if channel encryption is not used) or a server administrator.

+

Use of the <password/> child of the <conference/> element is NOT RECOMMENDED, since the password could be discovered by a third party, e.g. an eavesdropper (if channel encryption is not used) or a server administrator. However, the element MAY be used in suitably secure environments (e.g., where it is known that communications will not be sent over unencrypted channels and the server administrators are trusted). Clients SHOULD NOT default to storing passwords and MUST enable users to disable any password storage.

 @@ -313,6 +313,7 @@ +