[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
JHildebrand at jabber.com
Tue May 27 23:21:28 UTC 2003
Well, sorry it took me so long to get to my mail today. Here are my
comments on this thread.
1) I agree with Tijl here that Choice is Good. We're going to implment
something in this space in the short term, probably, so we figured it might
be good to talk about it in public first. We've got customers for whom
rot13 storage (or equivalents) isn't good enough.
2) I don't mind this:
Where 123 is a random number chosen when the password set happens, and
stored alongside the password. Then:
<edigest>sha1(streamid + sha1("123" + "pass"))</edigest>
Now that password isn't usable for some other system. Yes, you still have
to set your password in cleartext, but we have that problem now.
3) You *can* do this:
if the server has the plaintext password stored. The edigest module just
retrieves the plaintext and does a little more with it before comparing.
> -----Original Message-----
> From: Tijl Houtbeckers [mailto:thoutbeckers at splendo.com]
> Sent: Tuesday, May 27, 2003 3:05 PM
> To: standards-jig at jabber.org
> Matt Tucker <matt at jivesoftware.com> wrote on 27-5-2003 22:53:16:
> >Tijl -- your ideas on making a better digest mode are good.
> But again,
> >shouldn't we just leave digest as it is, let servers secure
> it on their
> >end, and focus on SASL?
> I agree with you that edigest in it's proposed form as by
> Dave is not usefull. I also disagree that we should deprecate
> normal digest, let alone plain text, authentication in favor
> of edigest. However, it's true that in some cases you'd want
> to have something like edigest. And then it's best we
> standerdize it, not only so that clients and server can be
> interoperateable, but also so that the same mistakes that
> were made now will not be repeated.
> Choice = good.
> Tijl Houtbeckers
> Software Engineer @ Splendo
> The Netherlands
> Standards-JIG mailing list
> Standards-JIG at jabber.org
More information about the Standards