Abstract

ometimes there might be a need for an application to sign a data form (Data Forms (XEP-0004) [1]) using other credentials than provided by the XMPP account or connection. An example can be automatic account creation using In-Band Registration (XEP-0077) [2]. Many server operators disable the in-band registration feature since it makes it possible for malicious users or robots to freely create accounts on the server. One way to combat robots, has been through the use of CAPTCHA Forms (XEP-0158) [3]. But in some cases, like in the Internet of Things, it is not robots that are the problem, but malicious users. This document describes a method whereby forms can be signed using other credentials. This can be used in an In-band registration form to sign the form with the credentials of a special account on the server with permissions to create new XMPP accounts, with perhaps a limit on number of accounts that can be created. This method can be used by manufacturers of devices for Internet of Things, so that devices can create accounts automatically on XMPP servers in an orderly fashion, and manufacturers are allowed to administer and control their automatically created accounts separately. It also provides a mechanism whereby server operators can monitor who is responsible for account creation and to what extent.