[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Dave Smith dizzyd at jabber.org
Tue May 27 17:12:59 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed, we should replace <digest> w/ <edigest>.

Of course, I'm biased. ;)

Diz

On Tuesday, May 27, 2003, at 11:00 America/Denver, Chris Mullins wrote:

> I would like to see the "edigest" such as you describe below replace 
> the
> existing digest.
>
> Passing the plain text passwords around during registration, and them
> storing them on the server in plain text always struck me as dangerous.
>
>
> -- 
> Chris Mullins
>
> -----Original Message-----
> From: standards-jig-admin at jabber.org
> [mailto:standards-jig-admin at jabber.org] On Behalf Of Peter Saint-Andre
> Sent: Tuesday, May 27, 2003 8:45 AM
> To: standards-jig at jabber.org
> Subject: Re: [standards-jig] Re: [Foundation] Last Minute JEP 78
> Concerns
>
> On Sat, May 24, 2003 at 12:14:32PM +0200, Jacek Konieczny wrote:
>> On Fri, May 23, 2003 at 04:47:36PM -0500, Peter Saint-Andre wrote:
>>> This document is now standards-track so that we can included it in
> the
>>> Jabber IM Basic protocol suite. This is essentially for the sake of
>>> platforms that won't soon have SASL libraries (if ever), such as
> J2ME.
>>
>> SASL implementation including only the required DIGEST-MD5 mechanism
> is
>> quit easy and I don't see the reason why one should require a special
>> library, even if it is available. The widely used cyrus-sasl library
> is
>> IMHO quite complicated and not very well documented and I would trust
>> more those Jabber implementations that don't use cyrus-sasl, unless
> more
>> than DIGEST-MD5 is needed.
>
> OK. I guess I have two questions:
>
> 1. Is it realistic to expect clients on all platforms to support SASL?
> Remember that I'm not a coder. :-) However, I've been told that it is
> unreasonable to expect some platforms (J2ME is the main one I've heard
> mentioned) to support SASL authentication anytime soon.
>
> 2. If not, do we need to have a more secure method for authentication
> that uses the old jabber:iq:auth protocol -- or will the Council 
> require
> one in order to approve this JEP?
>
> If the answer to #1 is "no", then I think the answer to #2 is "yes".
>
> If we need a more secure jabber:iq:auth method, I propose the
> following...
>
> Right now the <digest/> method uses the following algorithm:
>
>   value of <digest/> == sha1(StreamID + password)
>
> This results in storage of the plaintext password in the server's data
> storage. Both dizzy and hildjj independently came up with the following
> enhancement (let's call it "edigest" for enhanced digest):
>
>   value of <edigest/> == sha1(StreamID + sha1(password))
>
> This would result in storage of sha1(password) in data storage, rather
> than the plaintext password.
>
> We could support this in both jabber:iq:auth and jabber:iq:register so
> that the plaintext password is never sent over the wire or stored by 
> the
> server on the filesystem, in a database, or whatever.
>
> Thoughts?
>
> Peter
>
> -- 
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.php
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+05ycYNE3chVHHsMRAvjMAKDT5kDjNTEsFAyfG+v7d9NHf+57VgCgzjHD
GPlPaiceaXYLGAjZ7CGfNsU=
=5LIA
-----END PGP SIGNATURE-----




More information about the Standards mailing list