[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Dave Smith dizzyd at jabber.org
Tue May 27 21:26:37 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tuesday, May 27, 2003, at 15:11 America/Denver, Nathan Walp wrote:

> *nix stores passwords hashed, yes.  But *nix doesn't have to send
> passwords over the wire.  It takes the plaintext password, hashes it,
> and compares.  Jabber has the problem of how to do this, and still be
> able to change the password, which requires sending the plaintext
> password to the server at some point.

To clarify, one more time, we're talking about sending a digest of the 
digest and a one time session identifier over the wire.

i.e.

digest auth == SHA1(stream id + password-plaintext)

edigest auth == SHA1(stream id + SHA1(password-plaintext))

This would mean that one never sends the plaintext password over the 
wire, even for registration.

Diz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+09gNYNE3chVHHsMRAkVrAKD1wfB4QQuHtnKhAtZ3CcOMFB63qQCeOKuV
eBg4x11LaNqBAsQFnYf5cSY=
=ONHc
-----END PGP SIGNATURE-----




More information about the Standards mailing list