[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Jacek Konieczny jajcus at bnet.pl
Tue May 27 17:39:12 UTC 2003


On Tue, May 27, 2003 at 10:45:00AM -0500, Peter Saint-Andre wrote:
> 1. Is it realistic to expect clients on all platforms to support SASL?
IMHO it is.

> Remember that I'm not a coder. :-) However, I've been told that it is
> unreasonable to expect some platforms (J2ME is the main one I've heard
> mentioned) to support SASL authentication anytime soon.
Even if the platform doesn't have SASL authentication implemented it is
not a big problem. Implementing just the required DIGEST-MD5 SASL
authentication mechanism is not much more complicated than the old
jabber digest auth. AFAIR it is just giving more input to the hashing
function (and the function is MD5 instead of SHA1 of course).

> 2. If not, do we need to have a more secure method for authentication
> that uses the old jabber:iq:auth protocol -- or will the Council require
> one in order to approve this JEP?

DIGEST-MD5 SASL mechanism was invented with security in mind. There is
no reason to invent it again, just written in other way (plain XML
instead of base-64 encoded strings).

Greets,
        Jacek



More information about the Standards mailing list