[standards-jig] Advanced authentication

Thomas Muldowney temas at box5.net
Tue Apr 16 01:42:49 UTC 2002


I haven't read the information fully yet, so I won't comment on that,
but overall I do think this is vitally important for the current Jabber
system.  Much like my XES examination.

--temas


On Mon, 2002-04-15 at 18:26, Iain Shigeoka wrote:
> On 4/15/02 3:52 PM, "Robert Norris" <rob at cataclysm.cx> wrote:
> 
> >> I have not yet read your proposal, but just curious, any reasons why you
> >> want to propose something 'similar' to SASL? I will try and look at it
> >> sometime later today and hopefully we can get some discussions going.
> > 
> > SASL was really designed to be built on top of a command-driven
> > interface, which Jabber is not (at least, not directly). It could be
> > implemented on top of Jabber if we wanted, but it would not take
> > advantage of Jabber's strengths.
> > 
> > All a SASL profile (a protocol-specific SASL implementation) is required
> > to do is provide a method by which a client can find out what mechanisms
> > are supported, and provide a standard challenge/response mechanism that
> > will work for all authentication mechanisms. AAF does this.
> > 
> > It is entirely possible to implement any SASL mechanism on top of AAF.
> > In fact, the thing that pushed me to write these proposals was an
> > earlier proposal for doing SASL DIGEST-MD5 over Jabber. It was only
> > after completing this I realised that a) it could be made more generic
> > and b) DIGEST-MD5 is an overkill for Jabber anyway.
> 
> I think if it is possible, a SASL profile is a better solution than anything
> "jabber native".  When it comes to security, people like to work with well
> known solutions if possible.  IMO, anything that is not SASL should really
> demonstrate advantages several times more compelling than SASL in order to
> justify itself or provide reasons why it is impractical to do so.
> 
> I think it would really strengthen your proposal if you went into more
> details why you think we should use AAF rather than a SASL profile.  In
> particular, if you could expand the following sentence from the document:
> 
> > It cannot technically be called a Jabber SASL profile, because it does not
> > conform to section 4 of RFC 2222.
> 
> I think it would also be nice to discuss whether this is a retrofit to the
> existing Jabber system, or proposal for Jabber Next Generation (JNG) or
> both.
> 
> -iain
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig





More information about the Standards mailing list