[Council] 77 and 78
Joe Hildebrand
JHildebrand at jabber.com
Mon Jun 16 16:29:49 CDT 2003
> If both client and server implement SASL, they SHOULD use
> SASL. If a client does not implement SASL, obviously it will
> have to use iq:auth, but a server MAY disable that (or enable
> it only if the stream is encrypted). Yes?
That's great.
> > There really ought to be a stream:feature for it though....
>
> True, I'll add that as a note.
Does IANA have to register stream features? Jabber registrar? Jabber
registrar for things beginning with jabber: ?
> Client implementations MUST NOT make plaintext the default
> mechanism, and MUST warn the user that the plaintext
> mechanism is insecure. The plaintext mechanism SHOULD NOT be
> used unless the underlying stream is encrypted (using SSL or
> TLS) and the client has verified that the server certificate
> is signed by a trusted certificate authority. A given domain
> MAY choose to disable plaintext logins and password changes
> if the stream is not properly encrypted, or disable them
> entirely. If a client attempts to use the plaintext
If a client implements, and allows the server to specify digest or
plaintext.
> mechanism, an upgrade attack is possible, in which a
> man-in-the-middle tricks the client into revealing the user's
> plaintext password.
Other than that, looks fine.
More information about the Council
mailing list