[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
cmullins at winfessor.com
Tue May 27 17:00:46 UTC 2003
I would like to see the "edigest" such as you describe below replace the
Passing the plain text passwords around during registration, and them
storing them on the server in plain text always struck me as dangerous.
From: standards-jig-admin at jabber.org
[mailto:standards-jig-admin at jabber.org] On Behalf Of Peter Saint-Andre
Sent: Tuesday, May 27, 2003 8:45 AM
To: standards-jig at jabber.org
Subject: Re: [standards-jig] Re: [Foundation] Last Minute JEP 78
On Sat, May 24, 2003 at 12:14:32PM +0200, Jacek Konieczny wrote:
> On Fri, May 23, 2003 at 04:47:36PM -0500, Peter Saint-Andre wrote:
> > This document is now standards-track so that we can included it in
> > Jabber IM Basic protocol suite. This is essentially for the sake of
> > platforms that won't soon have SASL libraries (if ever), such as
> SASL implementation including only the required DIGEST-MD5 mechanism
> quit easy and I don't see the reason why one should require a special
> library, even if it is available. The widely used cyrus-sasl library
> IMHO quite complicated and not very well documented and I would trust
> more those Jabber implementations that don't use cyrus-sasl, unless
> than DIGEST-MD5 is needed.
OK. I guess I have two questions:
1. Is it realistic to expect clients on all platforms to support SASL?
Remember that I'm not a coder. :-) However, I've been told that it is
unreasonable to expect some platforms (J2ME is the main one I've heard
mentioned) to support SASL authentication anytime soon.
2. If not, do we need to have a more secure method for authentication
that uses the old jabber:iq:auth protocol -- or will the Council require
one in order to approve this JEP?
If the answer to #1 is "no", then I think the answer to #2 is "yes".
If we need a more secure jabber:iq:auth method, I propose the
Right now the <digest/> method uses the following algorithm:
value of <digest/> == sha1(StreamID + password)
This results in storage of the plaintext password in the server's data
storage. Both dizzy and hildjj independently came up with the following
enhancement (let's call it "edigest" for enhanced digest):
value of <edigest/> == sha1(StreamID + sha1(password))
This would result in storage of sha1(password) in data storage, rather
than the plaintext password.
We could support this in both jabber:iq:auth and jabber:iq:register so
that the plaintext password is never sent over the wire or stored by the
server on the filesystem, in a database, or whatever.
Jabber Software Foundation
Standards-JIG mailing list
Standards-JIG at jabber.org
More information about the Standards