[JDEV] Re: Account information storage, plaintext? ...AND JabberD password storage

Andrew Sayers andrew-list-jabber-jdev at ccl.bham.ac.uk
Tue Sep 16 13:05:32 CDT 2003

Hash: SHA1

On Tue, Sep 16, 2003 at 04:33:20PM +0100, Richard Dobson wrote:
> Yup creating a mechanism for the client handling auth is a possibility that
> ive been thinking about, but it does require protocol additions, changes to
> transports and all clients accessing them, so unless their is a major push
> by a large number of people then I dont see it happening.

Actually, this is a definite possibility for msn-tng.  The new MSN
authentication system involves registering separately with MS Passport
then passing on a "ticket" (which changes each time you log in) to your
Messenger server.  It's quite feasible to ask the client to do the
passport step and just ask for a ticket.  Allowing the client to do this
instead of the server is more in-keeping with MS's single sign-on idea,
improves security, and allows people to do crazy things like proxy
Microsoft's messenger client over Jabber.

If we're going to put the infrastructure in place to do this, we might
as well put in the extra work to allow password-only authentication,
although the security benefit of this is dubious: now you have to
trust your server and transport at the moment of login, instead of just
your transport in perpetuity.

Note: none of this means we have any intention of dropping support for
the traditional method of storing the password on the server.

	- Andrew
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: The following is method of proving my identity.  For more information, see http://www.gnupg.org.  E-mail {andrew-go-away at ccl.bham.ac.uk} if you don't want this.


More information about the JDev mailing list