[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
dizzyd at jabber.org
Tue May 27 21:26:37 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday, May 27, 2003, at 15:11 America/Denver, Nathan Walp wrote:
> *nix stores passwords hashed, yes. But *nix doesn't have to send
> passwords over the wire. It takes the plaintext password, hashes it,
> and compares. Jabber has the problem of how to do this, and still be
> able to change the password, which requires sending the plaintext
> password to the server at some point.
To clarify, one more time, we're talking about sending a digest of the
digest and a one time session identifier over the wire.
digest auth == SHA1(stream id + password-plaintext)
edigest auth == SHA1(stream id + SHA1(password-plaintext))
This would mean that one never sends the plaintext password over the
wire, even for registration.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards