[jdev] Scope of current RFC3920 SASL implementation

Dirk Meyer dmeyer at tzi.de
Mon Jan 26 03:40:54 CST 2009

Justin Karneges wrote:
> On Sunday 25 January 2009 10:30:39 Dirk Meyer wrote:
>> If you only do SASL, you can not be sure that someone changes the data
>> after the SASL authentication. Maybe you don't need to if you trust the
>> XMPP servers involved.
> It depends on the SASL mechanism.  With DIGEST-MD5, for example, you can have 
> a mutually authenticated session with integrity protection (and encryption).

I did not know that.

> I think our e2e proposal should promote TLS + SASL EXTERNAL as the common 
> case, but we should not require TLS and we should allow any SASL mechanism.  
> This way, someone could create a password-based service running at a JID.

It may get things more complicated, but agree, it should be
considered. This seems to be the logical choise for communicating with
external (web) services.


The three most dangerous things are a programmer with a soldering iron,
a manager who codes, and a user who gets ideas.

More information about the JDev mailing list