[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Joe Hildebrand JHildebrand at jabber.com
Tue May 27 23:21:28 UTC 2003


Well, sorry it took me so long to get to my mail today.  Here are my
comments on this thread.

1) I agree with Tijl here that Choice is Good.  We're going to implment
something in this space in the short term, probably, so we figured it might
be good to talk about it in public first.  We've got customers for whom
rot13 storage (or equivalents) isn't good enough.

2) I don't mind this:

<iq type='result'>
   <query xmlns='jabber:iq:auth'>
      <username>foo</username>
      <resource/>
      <edigest id='123'/>
   </query>
</iq>

Where 123 is a random number chosen when the password set happens, and
stored alongside the password.  Then:

<iq type='set'>
   <query xmlns='jabber:iq:auth'>
      <username>foo</username>
      <resource>bar</resource>
      <edigest>sha1(streamid + sha1("123" + "pass"))</edigest>
   </query>
</iq>

Now that password isn't usable for some other system.  Yes, you still have
to set your password in cleartext, but we have that problem now.

3) You *can* do this:
<iq type='result'>
   <query xmlns='jabber:iq:auth'>
      <username>foo</username>
      <resource/>
      <edigest id='123'/>
      <digest/>
   </query>
</iq>

if the server has the plaintext password stored.  The edigest module just
retrieves the plaintext and does a little more with it before comparing.

-- 
Joe Hildebrand


> -----Original Message-----
> From: Tijl Houtbeckers [mailto:thoutbeckers at splendo.com] 
> Sent: Tuesday, May 27, 2003 3:05 PM
> To: standards-jig at jabber.org
> 
> Matt Tucker <matt at jivesoftware.com> wrote on 27-5-2003 22:53:16:
> >
> >Tijl -- your ideas on making a better digest mode are good. 
> But again, 
> >shouldn't we just leave digest as it is, let servers secure 
> it on their 
> >end, and focus on SASL?
> 
> I agree with you that edigest in it's proposed form as by 
> Dave is not usefull. I also disagree that we should deprecate 
> normal digest, let alone plain text, authentication in favor 
> of edigest. However, it's true that in some cases you'd want 
> to have something like edigest. And then it's best we 
> standerdize it, not only so that clients and server can be 
> interoperateable, but also so that the same mistakes that 
> were made now will not be repeated. 
> 
> Choice = good.
> 
> --
> Tijl Houtbeckers
> Software Engineer @ Splendo
> The Netherlands
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 



More information about the Standards mailing list