[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

[Peter Saint-Andre]

Piotr Szturmaj wrote:
>> RFC 3920 says we use SASL, which includes mechanisms such as Kerberos,
>> DIGEST-MD5, and mutual authentication using X.509 certificates, etc. In
>> general we are pushing people to use those methods rather than trying to
>> upgrade the old methods documented in JEP-0078. If Kerberos, DIGEST-MD5,
>> and X.509 are not secure enough for you, I suggest that you may have a
>> future in IETF protocol development. ;-)
> 
> SALS is enought for authentication for me, you probably miss my whole point 
> ;-) All I want is storing hashes on disk instead of plain text passwords 
> (even encrypted). 

That's really an implementation issue, no?

> Currently this is impossible because I need to specify 
> original password instead of hash (like in In-Band Registration). 

Support for JEP-0077 is optional, and even then support for the change
password use case is optional.

> I *must* 
> store original pass. Even if my client will hash it and use this hash like 
> password, I will lose possibility to login from other client. Lets assume 
> that passwords are hashed on server side, nobody (even administrator) can 
> retrieve password, that's ok. But anyone can do it on client side. All I 
> want is to make it impossible. 

As I say,I think that's a client implementation issue. Does anything in
the protocols *force* the client to store the password in plaintext?

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20060717/116237d7/smime.bin