[standards-jig] SASL JEP

Mike Lin mikelin at MIT.EDU
Thu Jun 6 03:27:14 UTC 2002

The current Jabber protocols tend (actually, I think always do) use
SHA-1 wherever there is a need for secure hashing. Is MD5 more common in
the SASL world? If not, and the choice is arbitrary, I would timidly
suggest SHA-1 over MD5. It's slower and larger, but it's in most Jabber
software already.


On Wed, 2002-06-05 at 16:05, Paul Lloyd wrote:
> Hi,
> Peter Saint-Andre wrote:
> > Rob Norris and Jeremie Miller (with a little help from me) have put
> > together a JEP on SASL:
> > 
> > http://www.jabber.org/jeps/jep-0034.html
> > 
> > Let's discuss!
> For me, the real issue SASL integration raises is interoperability in
> a practical, real-world sense:
> 1) If we simply introduce PLAIN in an "interoperability profile", one
> can argue that little security merit has been achieved relative to
> the present protocol.
> 2) There are a variety of defined SASL mechanism that include the
> user experience of a name and a password, such as DIGEST-MD5, CRAM-MD5,
> and NTLM. From a security perspective, they are clearly preferable
> to PLAIN, especially on the wire in the absence of any previously
> negotiated transport layer protection.
> Perhaps an interoperability profile should simply select based some
> useful criteria, such as minimizing the need for supporting infrastructure.
> 3) The EXTERNAL mechanism provides the most interesting opportunity for
> users to authenticate to servers. But it has some issues of its own,
> like WHICH external mechanism to choose. TLS with client authn is a clear
> favorite today, and a standard to integrate TLS into Jabber could be
> a great step forward.
> 4) Most of the remaining SASL mechanisms require some amount of supporting
> infrastructure; they also introduce serious issues involving inter-realm
> trust.
> So, meanwhile back at the JEP, I guess I'd like to propose the following:
> 1) Add a section that addresses minimal requirements for compliance,
> interoperability, etc. This could arguably be a separate JEP, and JEP-0034
> simply defines the namespace and basic protocol integration.
> 2) Just to start the discussion, here are my thoughts:
>    o  DIGEST-MD5           required
>    o  EXTERNAL             recommended
>    o  PLAIN                not recommended (because limited added value to present,
>                            but feel free to argue otherwise)
>    o  various others       optional
> 3) WRT TLS, construct a JEP similar to http://www.ietf.org/rfc/rfc2595.txt?number=2595
> that standardizes the overall role of TLS in Jabber, including leveraging
> client authn as an EXTERNAL SASL mechanism. Note that this standard may also
> address use of TLS to protect legacy authn and even to protect the PLAIN SSL
> mechanism.
> Later,
> Paul Lloyd
> Infrastructure Strategic Engineering
> Strategy and Architecture Leadership Team
> voice:          650-236-3704
> FAX:            650-236-3632
> MSN Messenger:  paul_lloyd at hp.com
> plloyd at corp.hp.com
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig

More information about the Standards mailing list