[standards-jig] Refreshing the Thread: EDigest
thoutbeckers at splendo.com
Wed May 28 10:30:01 UTC 2003
Dave Smith <dizzyd at jabber.org> wrote on 28-5-2003 3:21:13:
Though at first it took you a while to understand what we meant, you've
made up for it now by sending replies to your own posts for questions I
was going to ask about them :) In this this reply (to an older post)
I've already taken them in account.
>Note also that this mechanism is MUTUALLY EXCLUSIVE to the
>digest/plaintext password authentication types, since the actual
>password is never stored on the server.
As I noted, you could still have plaintext available, if someone were
to rewrite the servermodule for it. (For Digest, this is ofcourse
impossible). The password would still not be stored in plaintext on the
server, but you will be vonurable to sniffing (if you don't use SSL)
and it's possible for an admin to intercept your password during login,
so I can't recommend that. Still, maybe it would help some people if
they're gonna switch over to edigest. Once the switch is completed they
could disable plaintext and make everyone choose a new password.
>If you still don't like the proposal, feel free to contribute a
>counter proposal that satisfies these same requirements.
I think it's now a usefull alternative. I don't think you intend to
deprecate "old" digest anymore either?
It's extremly easy for clients that already support digest to include
edigest (just some minutes of work and some minutes of testing
probably). If there will be decent serversupport (1.4.2 / jabber2) I'd
recommend client devvers to implement it.
I assume this will end up in a JEP eventually, do you intend to just
cover :auth, or :register too? I assume I'd be desirable in some cases
not to expose the password during registration either.
Software Engineer @ Splendo
More information about the Standards