[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]
Mridul Muralidharan
mridul at sun.com
Wed Sep 12 11:53:47 CDT 2007
Greg Hudson wrote:
> On Tue, 2007-09-11 at 19:51 +0100, Dave Cridland wrote:
>> If I ruled the world, I'd mandate TLS+SCRAM, and have a SHOULD for
>> TLS+YAP (the latter being plaintext-equiv on the server, but only a
>> single round-trip, so great for mobiles).
>
> You may be missing the most popular reason for sending plain-text
> passwords to the server (over TLS, one hopes): it's the only way for the
> server to check the password against an external verifier such as an
> LDAP server, AD controller, or Kerberos KDC. (GSSAPI krb5 auth is much
> better if you have an AD controller or Kerberos KDC, of course, but I
> don't hold out much hope for that being universally implemented in
> clients.)
>
>
Yes, I mentioned the same a few posts back - auth proxying can be done
across a variety of mechisms/deployments only with sasl plain (and the
deprecated jabber:iq:auth) in xmpp.
- Mridul
More information about the Standards
mailing list