[standards-jig] Refreshing the Thread: EDigest

Tijl Houtbeckers thoutbeckers at splendo.com
Wed May 28 10:30:01 UTC 2003


Dave Smith <dizzyd at jabber.org> wrote on 28-5-2003 3:21:13:
>

Though at first it took you a while to understand what we meant, you've 
made up for it now by sending replies to your own posts for questions I 
was going to ask about them :) In this this reply (to an older post) 
I've already taken them in account. 

>Note also that this mechanism is MUTUALLY EXCLUSIVE to the 
>digest/plaintext password authentication types, since the actual 
>password is never stored on the server.

As I noted, you could still have plaintext available, if someone were 
to rewrite the servermodule for it. (For Digest, this is ofcourse 
impossible). The password would still not be stored in plaintext on the 
server, but you will be vonurable to sniffing (if you don't use SSL) 
and it's possible for an admin to intercept your password during login, 
so I can't recommend that. Still, maybe it would help some people if 
they're gonna switch over to edigest. Once the switch is completed they 
could disable plaintext and make everyone choose a new password. 

>If you still don't like the proposal, feel free to contribute a 
>counter proposal that satisfies these same requirements.

I think it's now a usefull alternative. I don't think you intend to 
deprecate "old" digest anymore either? 

It's extremly easy for clients that already support digest to include 
edigest (just some minutes of work and some minutes of testing 
probably). If there will be decent serversupport (1.4.2 / jabber2) I'd 
recommend client devvers to implement it. 

I assume this will end up in a JEP eventually, do you intend to just 
cover :auth, or :register too? I assume I'd be desirable in some cases 
not to expose the password during registration either. 

-- 
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands




More information about the Standards mailing list