[standards-jig] Advanced authentication

Iain Shigeoka iainshigeoka at yahoo.com
Mon Apr 15 23:26:38 UTC 2002


On 4/15/02 3:52 PM, "Robert Norris" <rob at cataclysm.cx> wrote:

>> I have not yet read your proposal, but just curious, any reasons why you
>> want to propose something 'similar' to SASL? I will try and look at it
>> sometime later today and hopefully we can get some discussions going.
> 
> SASL was really designed to be built on top of a command-driven
> interface, which Jabber is not (at least, not directly). It could be
> implemented on top of Jabber if we wanted, but it would not take
> advantage of Jabber's strengths.
> 
> All a SASL profile (a protocol-specific SASL implementation) is required
> to do is provide a method by which a client can find out what mechanisms
> are supported, and provide a standard challenge/response mechanism that
> will work for all authentication mechanisms. AAF does this.
> 
> It is entirely possible to implement any SASL mechanism on top of AAF.
> In fact, the thing that pushed me to write these proposals was an
> earlier proposal for doing SASL DIGEST-MD5 over Jabber. It was only
> after completing this I realised that a) it could be made more generic
> and b) DIGEST-MD5 is an overkill for Jabber anyway.

I think if it is possible, a SASL profile is a better solution than anything
"jabber native".  When it comes to security, people like to work with well
known solutions if possible.  IMO, anything that is not SASL should really
demonstrate advantages several times more compelling than SASL in order to
justify itself or provide reasons why it is impractical to do so.

I think it would really strengthen your proposal if you went into more
details why you think we should use AAF rather than a SASL profile.  In
particular, if you could expand the following sentence from the document:

> It cannot technically be called a Jabber SASL profile, because it does not
> conform to section 4 of RFC 2222.

I think it would also be nice to discuss whether this is a retrofit to the
existing Jabber system, or proposal for Jabber Next Generation (JNG) or
both.

-iain


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




More information about the Standards mailing list