[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Robert Norris rob at cataclysm.cx
Wed May 28 01:36:00 UTC 2003


> >Look, the idea here is to fix something that should have been fixed a 
> >long time ago. This isn't rocket science. It is neither less, nor more 
> >secure for authentication/registration than the current method -- but it 
> >DOES provide A way to avoid storing a password in plaintext.
> 
> Then you can simply change the server to hash the password that is 
> stored, or crypt it, or rot13 it, or do any number of simple 
> transformations so that the result is not directly readable in spool 
> file or database.  No client changes required.

You need whatever "password" (whether hashed or not) the client sent in
order to combine it with the stream ID to match their digest. So to do
the transformation server-side, you'd have to use a reversable
conversion (rot13, base64, etc), which is pointless.

I agree with Dave - this adds ONE thing, the ability for servers to
store encrypted passwords. No, its not going to add additional wire
security - thats not its point.

If you want something thats simple to implement and doesn't require much
effort, use what we already have, or use this extended version. If you
want something better, use SASL and/or TLS. If none of that suits you,
then perhaps you should have thought about bringing it up while the XMPP
work was in progress - its not like its just appeared out of nowhere.

Sigh.

Rob.

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20030528/f2240c54/attachment.sig>


More information about the Standards mailing list