[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Casey Crabb crabbkw at nafai.dyndns.org
Tue May 27 20:37:49 UTC 2003

To address Tijl's concerns of this not buying safety from others who
use the same system:

I propose we sha1(streamID + sha1(userPassword + serverHostName))

This protects the password from external systems, and other jabber
systems alike.

It accomplishes what Diz wants with protecting the password from being
used on other systems; and addresses some of Tijl's concerns with
other security systems using the same sha1(streamID +
sha1(userPassword)) auth mechanism.

Does this make sense?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20030527/bd0cfc0c/attachment.sig>

More information about the Standards mailing list