[standards-jig] Refreshing the Thread: EDigest

Matt Tucker matt at jivesoftware.com
Wed May 28 12:53:28 UTC 2003


Dave,

The proposal is a much stronger one with the changes, and I don't see 
any objections to it from a technical perspective. It is definitely an 
improvement over the standard digest methdod.

However, I still have to wonder if it's a big enough improvement to be 
worthwhile as a standard? It doesn't provide wire security, could be 
solved on the application side through database encryption, and may not 
  ever gain wide acceptance due to the entrenched use of normal digest. 
  Maybe this isn't enough to reject it though, since choice is indeed 
good. :) However, one thing to consider -- would using edigest prevent 
servers from supporting SASL in any way? IE, do most SASL modes require 
  the server to have a copy of the plain text password (I have no idea)? 
For example, one SASL library I found supports the following options for 
login:

* ANONYMOUS
* CRAM-MD5
* PLAIN
* GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5)
* DIGEST-MD5

What modes do we anticipate XMPP servers supporting? Since SASL seems to 
be what everyone is aiming for as the main protocol, perhaps it would be 
good to consider all the other auth protocols in relation to it briefly?

Regards,
Matt

Dave Smith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> To clarify further,
> 
> The server will provide the random ID to the user during the iq:auth 
> "get" sequence of authentication. The random ID should be selected and 
> saved by the server registration time.
> 
> Diz
> 
> On Tuesday, May 27, 2003, at 20:02 America/Denver, Dave Smith wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On Tuesday, May 27, 2003, at 19:57 America/Denver, Casey Crabb wrote:
>>
>>> On Tue, May 27, 2003 at 07:40:48PM -0600, Dave Smith wrote:
>>>
>>>> Amendment to my previous email -- Tijl, I agree completely now. Let's
>>>> use the random numbers as you originally suggested. So edigest becomes:
>>>>
>>>> edigest == SHA(stream id + SHA(random id + password))
>>>
>>>
>>> Just to be extra clear; This random id is passed to the client upon
>>> requesting authentication methods the server supports, correct? I
>>
>>
>> Correct. The server tracks the random ID.
>>
>> Diz
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.1 (Darwin)
>>
>> iD8DBQE+1BiYYNE3chVHHsMRAr8VAKDylKbX1DlsgclM5VjWOGEiaJPpigCgzYV+
>> YQXrUsOH531VJbNrMZ6uhgA=
>> =FOMV
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Standards-JIG mailing list
>> Standards-JIG at jabber.org
>> http://mailman.jabber.org/listinfo/standards-jig
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
> 
> iD8DBQE+1BtbYNE3chVHHsMRAvh2AKDzcN1F4eYOgtroFUlEYeBd7AMk4QCfbgkz
> vq5Xi4sVnI/w8mH+Ozg+gog=
> =rr8d
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig




More information about the Standards mailing list