[JDEV] SASL, deployment and coding
mass at akuma.org
Tue Feb 4 17:40:45 CST 2003
Matthew Beacher wrote:
> 1) Can the User Registration that is built into SASL be used to join a
> Jabber Server or must the Jabber Registration system (as stated in
> http://www.jabber.org/protocol/registration.html ) be used? I ask
> because SASL has built in registration and authentication, and I am
> unsure how to tap into the SASL password files.
AFAIK, SASL does not have user registration, just authentication. You
may have seen the mechanism registration, which is the procedure for
having the IANA recognize new authentication mechanisms.
> 2) How felxable should a server be in the order of receved elements?
> Should a server be hard line on receving elements in the order listed,
> or should it be more open in the ordering, so long as all required
> elements are there?
Ordering of child elements within a stanza does not matter in the
existing namespaces. Please let us know if you see documentation which
contradicts this :-)
> 3) Has anyone else thought that all servers should require SASL
> encription level of at least 40 (read 40 bit encription), and that
> with this there should be an addition to Jabber:Server:DialBack and
> SASL so that Server to server comunications are encripted, because
> what is the good of a message that is only encripted some of the time.
Since you cannot specify a required delivery path or required security
parameters (read: only on encrypted connections, to servers with a
certificate signed by a client-trusted CA), SSL cannot and should not
be used for end-to-end encryption. There is an informational draft which
describes how many existing clients use OpenPGP for end-to-end
encryption, and there are proposals on how to do this with the W3C XML
More information about the JDev