[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
dizzyd at jabber.org
Tue May 27 20:24:43 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday, May 27, 2003, at 14:16 America/Denver, Chris Mullins wrote:
>> Using <edigest> will break nothing.
> As I think about it, that's not true.
> Let's say we have EDigest, and the user Registers on the server. The
> client sends across the password hash, and the server stores that hash.
> This means the server DOES NOT have a copy of the users original, plain
> text, password.
> Now I boot up Exodus, and try to log in. During the auth-disco process
> (JEP 78) about which protocols are supported, I send back
> <PlainText/><Digest/><EDigest/>, and Exodus picks the one that it
> is best - Digest. (Because it doesn't know about EDigest).
Herein lies the problem, your server ought not return either
<plaintext> or <digest> if it doesn't have the necessary information.
If you deploy <edigest> either you shouldn't deploy plaintext/digest or
you should require a plaintext password in the registration process.
> This also means plain-text auth would fail, which leaves all the
> client no valid means to log the user in.
Again, this is a server mis-configuration problem -- not protocol.
However, this scenario has always been possible. It's completely
possible that I can configure my system to ONLY support Zero-K (for
old-times sake) authentication. If I try and use a client that doesn't
support that mechanism, it's expected that auth will fail. This is
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards