[standards-jig] Refreshing the Thread: EDigest

Dave Smith dizzyd at jabber.org
Wed May 28 12:39:09 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Wednesday, May 28, 2003, at 04:30 America/Denver, Tijl Houtbeckers 
wrote:

> As I noted, you could still have plaintext available, if someone were
> to rewrite the servermodule for it. (For Digest, this is ofcourse
> impossible). The password would still not be stored in plaintext on the
> server, but you will be vonurable to sniffing (if you don't use SSL)
> and it's possible for an admin to intercept your password during login,
> so I can't recommend that. Still, maybe it would help some people if
> they're gonna switch over to edigest. Once the switch is completed they
> could disable plaintext and make everyone choose a new password.

Yup, you could continue to have plaintext/digest enabled.

> I think it's now a usefull alternative. I don't think you intend to
> deprecate "old" digest anymore either?

Nope.

> I assume this will end up in a JEP eventually, do you intend to just
> cover :auth, or :register too? I assume I'd be desirable in some cases
> not to expose the password during registration either.

Yes, I'm hoping to get stpeter to include this in the standards-track 
JEP. I'm not sure what you mean by "just cover :auth or :register"....


Diz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+1K3tYNE3chVHHsMRAp3XAJ9ntqssvEiBh+/ocAukqfmfTDBisACfe2uU
lxQO7lS8TNV6NdKkCuj8V3o=
=5HAA
-----END PGP SIGNATURE-----




More information about the Standards mailing list