[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Dave Smith dizzyd at jabber.org
Tue May 27 20:24:43 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tuesday, May 27, 2003, at 14:16 America/Denver, Chris Mullins wrote:

>> Using <edigest> will break nothing.
>
> As I think about it, that's not true.
>
> Let's say we have EDigest, and the user Registers on the server. The
> client sends across the password hash, and the server stores that hash.
> This means the server DOES NOT have a copy of the users original, plain
> text, password.
>
> Now I boot up Exodus, and try to log in. During the auth-disco process
> (JEP 78) about which protocols are supported, I send back
> <PlainText/><Digest/><EDigest/>, and Exodus picks the one that it 
> thinks
> is best - Digest. (Because it doesn't know about EDigest).

Herein lies the problem, your server ought not return either 
<plaintext> or <digest> if it doesn't have the necessary information. 
If you deploy <edigest> either you shouldn't deploy plaintext/digest or 
you should require a plaintext password in the registration process.

> This also means plain-text auth would fail, which leaves all the 
> "older"
> client no valid means to log the user in.

Again, this is a server mis-configuration problem -- not protocol. 
However, this scenario has always been possible. It's completely 
possible that I can configure my system to ONLY support Zero-K (for 
old-times sake) authentication. If I try and use a client that doesn't 
support that mechanism, it's expected that auth will fail. This is 
correct behaviour.

Diz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+08mLYNE3chVHHsMRAoc6AKC68bsCQusMU0beOMb/2N1DptayGwCbBqX5
1F9++9B596bJ54J+EdIAOlY=
=eDm9
-----END PGP SIGNATURE-----




More information about the Standards mailing list