XSF Discussion - 2022-10-24

  1. mathieui

    could we standardize a common private pep namespace for keeping account secrets?

  2. mathieui

    I mean, account recovery is the most painful thing

  3. MattJ

    What are you proposing to store in there?

  4. pep.

    Everything that would be useful to cop^Widentify a user

  5. MattJ

    Well that's basically it

  6. MattJ

    The traditional solution is to have a secondary contact method (usually email, possibly phone number)

  7. pep.

    Yeah. That's also what I would do, an optional secondary contact method

  8. pep.

    And if there isn't one, too bad

  9. MattJ

    Yes, it should be the user's choice. No recovery contact, no recovery.

  10. MattJ

    Or you know what we could do? Have the user provide some secret arbitrary string for their account, which, upon presentation, proves they are the account owner...

  11. pep.

    Yeah riseup does that

  12. pep.

    And that can be automated even

  13. pep.

    The server could even generate it itself during account creation

  14. MattJ

    The joke was that I was describing passwords 🙂

  15. pep.


  16. MattJ

    And we know all the things we do to protect passwords already. If we have recovery secrets, we'd need to do the same for those unless we want to weaken security. And if the user can't remember the password, how can they remember a (secure) recovery string?

  17. pep.

    Who manages xmpp.work nowadays? I just realized "free software" (/ foss) wasn't a label there. Is there a way to add it?

  18. emus

    pep.: I think guus offered to support