[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Peter Saint-Andre stpeter at jabber.org
Tue May 27 15:45:00 UTC 2003


On Sat, May 24, 2003 at 12:14:32PM +0200, Jacek Konieczny wrote:
> On Fri, May 23, 2003 at 04:47:36PM -0500, Peter Saint-Andre wrote:
> > This document is now standards-track so that we can included it in the
> > Jabber IM Basic protocol suite. This is essentially for the sake of
> > platforms that won't soon have SASL libraries (if ever), such as J2ME.
> 
> SASL implementation including only the required DIGEST-MD5 mechanism is
> quit easy and I don't see the reason why one should require a special
> library, even if it is available. The widely used cyrus-sasl library is
> IMHO quite complicated and not very well documented and I would trust
> more those Jabber implementations that don't use cyrus-sasl, unless more
> than DIGEST-MD5 is needed.

OK. I guess I have two questions:

1. Is it realistic to expect clients on all platforms to support SASL?
Remember that I'm not a coder. :-) However, I've been told that it is
unreasonable to expect some platforms (J2ME is the main one I've heard
mentioned) to support SASL authentication anytime soon.

2. If not, do we need to have a more secure method for authentication
that uses the old jabber:iq:auth protocol -- or will the Council require
one in order to approve this JEP?

If the answer to #1 is "no", then I think the answer to #2 is "yes".

If we need a more secure jabber:iq:auth method, I propose the
following...

Right now the <digest/> method uses the following algorithm:

  value of <digest/> == sha1(StreamID + password)

This results in storage of the plaintext password in the server's data
storage. Both dizzy and hildjj independently came up with the following
enhancement (let's call it "edigest" for enhanced digest):

  value of <edigest/> == sha1(StreamID + sha1(password))

This would result in storage of sha1(password) in data storage, rather
than the plaintext password.

We could support this in both jabber:iq:auth and jabber:iq:register so
that the plaintext password is never sent over the wire or stored by the
server on the filesystem, in a database, or whatever.

Thoughts?

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php




More information about the Standards mailing list