[JDEV] SASL, deployment and coding

Robert Norris rob at cataclysm.cx
Tue Feb 4 16:58:06 CST 2003


> 1) Can the User Registration that is built into SASL be used to join a 
> Jabber Server or must the Jabber Registration system (as stated in 
> http://www.jabber.org/protocol/registration.html ) be used? I ask 
> because SASL has built in registration and authentication, and I am 
> unsure how to tap into the SASL password files.

This hasn't really been discussed in any detail. I would suggest joining
the XMPP working group and bringing this question up there:

  http://www.jabber.org/cgi-bin/mailman/listinfo/xmppwg/

> 2) How felxable should a server be in the order of receved elements? 
> Should a server be hard line on receving elements in the order listed, 
> or should it be more open in the ordering, so long as all required 
> elements are there?

I'm not sure what you mean by this. Can you provide an example?

> 3) Has anyone else thought that all servers should require SASL 
> encription level of at least 40 (read 40 bit encription), and that with 
> this there should be an addition to Jabber:Server:DialBack and SASL so 
> that Server to server comunications are encripted, because what is the 
> good of a message that is only encripted some of the time.

For backwards compatibility reasons, its not possible to enforce the use
of SASL (and I doubt it ever will be). For guaranteed end-to-end
security, its necessary to encrypt individual packets using GPG (or
similar).

The XMPP working group are actively pursuing these issues. I suggest you
subscribe to the list and get involved :)

Rob.

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20030205/70daba30/attachment-0002.pgp>


More information about the JDev mailing list