[Council] 77 and 78

Joe Hildebrand JHildebrand at jabber.com
Mon Jun 16 16:29:49 CDT 2003


> If both client and server implement SASL, they SHOULD use 
> SASL. If a client does not implement SASL, obviously it will 
> have to use iq:auth, but a server MAY disable that (or enable 
> it only if the stream is encrypted). Yes?

That's great.

> > There really ought to be a stream:feature for it though....
> 
> True, I'll add that as a note.

Does IANA have to register stream features?  Jabber registrar?  Jabber
registrar for things beginning with jabber: ?

> Client implementations MUST NOT make plaintext the default 
> mechanism, and MUST warn the user that the plaintext 
> mechanism is insecure. The plaintext mechanism SHOULD NOT be 
> used unless the underlying stream is encrypted (using SSL or 
> TLS) and the client has verified that the server certificate 
> is signed by a trusted certificate authority. A given domain 
> MAY choose to disable plaintext logins and password changes 
> if the stream is not properly encrypted, or disable them 
> entirely. If a client attempts to use the plaintext 

If a client implements, and allows the server to specify digest or
plaintext.

> mechanism, an upgrade attack is possible, in which a 
> man-in-the-middle tricks the client into revealing the user's 
> plaintext password.

Other than that, looks fine.



More information about the Council mailing list