[jdev] Re: Problem Connecting to GoogleTalk using my custom client

Stephen Pendleton spendleton at movsoftware.com
Tue Oct 25 12:43:37 CDT 2005

In practical use, what are the advantages of TLS/SSL with SASL DIGEST-MD5
versus TLS/SSL with SASL PLAIN authentication? DIGEST-MD5 seems to be such a
pain to have to add on the client and server sides. I can imagine this is
why Google didn't implement DIGEST-MD5. Since the stream is already
encrypted using TLS/SSL does DIGEST-MD5 add some extra security that
warrants its "must-implement" status?


-----Original Message-----
From: jdev-bounces at jabber.org [mailto:jdev-bounces at jabber.org] On Behalf Of
Peter Saint-Andre
Sent: Tuesday, October 25, 2005 12:46 PM
To: Jabber software development list
Subject: Re: [jdev] Re: Problem Connecting to GoogleTalk using my custom

Gary Burd wrote:
> On 10/25/05, Ralph Meijer <jabber.org at ralphm.ik.nu> wrote:
>> Hmm, so your implementation does not support DIGEST-MD5? Note that 
>> XMPP Core requires implementing this.
> The Google Talk Service does not support DIGEST-MD5.
> To implement DIGEST-MD5, a server must store the user's password as 
> plain text or store a specific hash of the user name and password. 
> DIGEST-MD5 might take some work to implement if a server does not 
> store passwords in one of these two formats to begin with.

We have two options:

1. Accept that Google Talk is not fully compliant with RFC 3920.

2. In rfc3920bis, change the must-implement to specify something other 
than DIGEST-MD5 (perhaps advisable anyway, given recent demonstration of 
problems with MD5).


Peter Saint-Andre
Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml

More information about the JDev mailing list