[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Evan Prodromou evan at prodromou.san-francisco.ca.us
Tue May 27 17:43:56 UTC 2003


>>>>> "PS" == Peter Saint-Andre <stpeter at jabber.org> writes:

    PS> 1. Is it realistic to expect clients on all platforms to
    PS> support SASL?

Any client that can parse XML and manipulate strings and integers can
support the SASL profile in XMPP. Doing MD5 and bin64 encoding, even
by hand, is not rocket science.

There may not be out-of-the-box libraries for all platforms, but I
think that's a tough-beans issue.

    PS> 2. If not, do we need to have a more secure method for
    PS> authentication that uses the old jabber:iq:auth protocol -- or
    PS> will the Council require one in order to approve this JEP?

I don't think it's a good idea to have two non-deprecated protocols
for Jabber authentication. The onus on implementers -- both for
clients and servers -- is too high. And there are security
implications -- a house with many doors has more chances of a faulty
lock.

It makes sense, in a transition period, to document the existing auth
protocol for interoperation with existing clients. But it doesn't make
sense to put two different and equally secure methods on the
wire. Eventually, everyone should be moving to the preferred,
non-deprecated protocol.

If there is an argument that the SASL profile is too complicated or
too difficult to implement, well, that points out a weakness in the
choice of SASL. If SASL doesn't meet Jabber's needs, then we shouldn't
create a _parallel_ mechanism -- we should create a _replacement_
mechanism.

In other words, if SASL doesn't meet our requirements, it should be
scrapped.

~ESP

-- 
Evan Prodromou
evan at prodromou.san-francisco.ca.us






More information about the Standards mailing list