[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Tijl Houtbeckers thoutbeckers at splendo.com
Tue May 27 20:49:01 UTC 2003


Casey Crabb <crabbkw at nafai.dyndns.org> wrote on 27-5-2003 22:37:49:
>
>To address Tijl's concerns of this not buying safety from others who
>use the same system:
>
>I propose we sha1(streamID + sha1(userPassword + serverHostName))

Well, that's basically the same level of protection (and method. more 
or less) as I proposed with adding an extra ID, expect it doesn't 
protect multiple accounts on the same server (also it doesn't protect 
any other application that would use sha1(userPassword+serverHostName) 
for storing passwords, maybe we could make it 
sha1("xmpp"+userPassword+serverHostName) to address that). 

At least it's a whole lot better then the original proposal, since this 
solves, and considering that my proposal includes sending 1 extra key 
this would be the easiest to implement in excisting clients. The 
problem is with domainaliasses though I think. I'm not sure how these 
are used exactly in Jabber. Is it possible to use the same user 
database for two different domains? 

-- 
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands




More information about the Standards mailing list