[Council] 77 and 78

Peter Saint-Andre stpeter at jabber.org
Wed Jun 18 13:01:35 CDT 2003


I fixed this stuff so I think 78 is ready to go. The latest version is
now here:

http://www.jabber.org/jeps/jep-0078.html

Peter

On Mon, Jun 16, 2003 at 03:29:49PM -0600, Joe Hildebrand wrote:
> > If both client and server implement SASL, they SHOULD use 
> > SASL. If a client does not implement SASL, obviously it will 
> > have to use iq:auth, but a server MAY disable that (or enable 
> > it only if the stream is encrypted). Yes?
> 
> That's great.
> 
> > > There really ought to be a stream:feature for it though....
> > 
> > True, I'll add that as a note.
> 
> Does IANA have to register stream features?  Jabber registrar?  Jabber
> registrar for things beginning with jabber: ?
> 
> > Client implementations MUST NOT make plaintext the default 
> > mechanism, and MUST warn the user that the plaintext 
> > mechanism is insecure. The plaintext mechanism SHOULD NOT be 
> > used unless the underlying stream is encrypted (using SSL or 
> > TLS) and the client has verified that the server certificate 
> > is signed by a trusted certificate authority. A given domain 
> > MAY choose to disable plaintext logins and password changes 
> > if the stream is not properly encrypted, or disable them 
> > entirely. If a client attempts to use the plaintext 
> 
> If a client implements, and allows the server to specify digest or
> plaintext.
> 
> > mechanism, an upgrade attack is possible, in which a 
> > man-in-the-middle tricks the client into revealing the user's 
> > plaintext password.
> 
> Other than that, looks fine.
> _______________________________________________
> Council mailing list
> Council at jabber.org
> http://mailman.jabber.org/listinfo/council



More information about the Council mailing list