[Council] 77 and 78
stpeter at jabber.org
Wed Jun 18 13:01:35 CDT 2003
I fixed this stuff so I think 78 is ready to go. The latest version is
On Mon, Jun 16, 2003 at 03:29:49PM -0600, Joe Hildebrand wrote:
> > If both client and server implement SASL, they SHOULD use
> > SASL. If a client does not implement SASL, obviously it will
> > have to use iq:auth, but a server MAY disable that (or enable
> > it only if the stream is encrypted). Yes?
> That's great.
> > > There really ought to be a stream:feature for it though....
> > True, I'll add that as a note.
> Does IANA have to register stream features? Jabber registrar? Jabber
> registrar for things beginning with jabber: ?
> > Client implementations MUST NOT make plaintext the default
> > mechanism, and MUST warn the user that the plaintext
> > mechanism is insecure. The plaintext mechanism SHOULD NOT be
> > used unless the underlying stream is encrypted (using SSL or
> > TLS) and the client has verified that the server certificate
> > is signed by a trusted certificate authority. A given domain
> > MAY choose to disable plaintext logins and password changes
> > if the stream is not properly encrypted, or disable them
> > entirely. If a client attempts to use the plaintext
> If a client implements, and allows the server to specify digest or
> > mechanism, an upgrade attack is possible, in which a
> > man-in-the-middle tricks the client into revealing the user's
> > plaintext password.
> Other than that, looks fine.
> Council mailing list
> Council at jabber.org
More information about the Council