[standards-jig] UPDATED: JEP-0078 (Non-SASL Authentication)

Jacek Konieczny jajcus at bnet.pl
Fri Jun 13 07:21:21 UTC 2003

On Thu, Jun 12, 2003 at 11:30:34PM -0500, Peter Saint-Andre wrote:
> Based on feedback from the Jabber Council, I've made a few adjustments
> to JEP-0078 (Non-SASL Authentication). The changelog is as follows:
> ******
> clarified escaping requirements (UTF-8); 

IMHO it is not clarified well.

  Plaintext passwords are straightforward (note that any non-ASCII
  characters MUST be encoded as UTF-8).

Plain text passwords are regular CDATA in the XML stream, so it is
Unicode encoded in stream encoding (which may be UTF-8 or UTF-16). No
clarification is needed, and the sentence you wrote is wrong for UTF-16
encoded streams.

   The value of the <digest/> element MUST be computed according to the following

    1. Concatenate the Stream ID received from the server with the password.
    2. Hash the concatenated string according to the SHA1 algorithm.
    3. Ensure that the hash output is in hexidecimal format, not binary or base64.
    4. Convert the hash output to all lowercase characters.

This is a place where clarification is needed. Digest is computed from sequence of bytes,
so the encoding used should be known. Maybe point 1. should read:
    1. Concatenate the Stream ID received from the server with the password, both
       encoded as UTF-8.


More information about the Standards mailing list