[standards-jig] Refreshing the Thread: EDigest
matt at jivesoftware.com
Wed May 28 12:53:28 UTC 2003
The proposal is a much stronger one with the changes, and I don't see
any objections to it from a technical perspective. It is definitely an
improvement over the standard digest methdod.
However, I still have to wonder if it's a big enough improvement to be
worthwhile as a standard? It doesn't provide wire security, could be
solved on the application side through database encryption, and may not
ever gain wide acceptance due to the entrenched use of normal digest.
Maybe this isn't enough to reject it though, since choice is indeed
good. :) However, one thing to consider -- would using edigest prevent
servers from supporting SASL in any way? IE, do most SASL modes require
the server to have a copy of the plain text password (I have no idea)?
For example, one SASL library I found supports the following options for
* GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5)
What modes do we anticipate XMPP servers supporting? Since SASL seems to
be what everyone is aiming for as the main protocol, perhaps it would be
good to consider all the other auth protocols in relation to it briefly?
Dave Smith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> To clarify further,
> The server will provide the random ID to the user during the iq:auth
> "get" sequence of authentication. The random ID should be selected and
> saved by the server registration time.
> On Tuesday, May 27, 2003, at 20:02 America/Denver, Dave Smith wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On Tuesday, May 27, 2003, at 19:57 America/Denver, Casey Crabb wrote:
>>> On Tue, May 27, 2003 at 07:40:48PM -0600, Dave Smith wrote:
>>>> Amendment to my previous email -- Tijl, I agree completely now. Let's
>>>> use the random numbers as you originally suggested. So edigest becomes:
>>>> edigest == SHA(stream id + SHA(random id + password))
>>> Just to be extra clear; This random id is passed to the client upon
>>> requesting authentication methods the server supports, correct? I
>> Correct. The server tracks the random ID.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.1 (Darwin)
>> -----END PGP SIGNATURE-----
>> Standards-JIG mailing list
>> Standards-JIG at jabber.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
> -----END PGP SIGNATURE-----
> Standards-JIG mailing list
> Standards-JIG at jabber.org
More information about the Standards