[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Peter Saint-Andre stpeter at jabber.org
Fri May 23 21:47:36 UTC 2003


On Fri, May 23, 2003 at 10:44:45AM -0700, Evan Prodromou wrote:

> So, I guess I'm just still scratching my head over this.
> 
> JEP-0078 documents the current jabber:iq:auth behavior, so that new
> implementations of clients and servers can be backwards-compatible
> with SASL-ignorant partners, right?
> 
> If that's the case, I don't see why it would make sense to 'fix' the
> protocol. The protocol should be documented as it stands, with a
> security note documenting the flaw.
> 
> I guess I see the goal of JEP 78 less as 'fixing jabber:iq:auth' than
> 'documenting existing jabber:iq:auth'.

This document is now standards-track so that we can included it in the
Jabber IM Basic protocol suite. This is essentially for the sake of
platforms that won't soon have SASL libraries (if ever), such as J2ME.
Because it will be standards-track, it is worth discussing whether or
not to fix certain security holes in the protocol (in a way that is as
backwards-compatible as possible) rather than let such holes remain in a
standard part of the Jabber protocol.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php




More information about the Standards mailing list