[standards-jig] Refreshing the Thread: EDigest
thoutbeckers at splendo.com
Wed May 28 12:47:28 UTC 2003
Dave Smith <dizzyd at jabber.org> wrote on 28-5-2003 14:39:09:
>-----BEGIN PGP SIGNED MESSAGE-----
>On Wednesday, May 28, 2003, at 04:30 America/Denver, Tijl Houtbeckers
>Yup, you could continue to have plaintext/digest enabled.
I'm not sure how it'd be possible for digest to work if you don't store
the password in plaintext? (since digest has to sha1(streamid + pass)).
>> I assume this will end up in a JEP eventually, do you intend to just
>> cover :auth, or :register too? I assume I'd be desirable in some
>> cases not to expose the password during registration either.
>Yes, I'm hoping to get stpeter to include this in the standards-track
>JEP. I'm not sure what you mean by "just cover :auth or :register"....
I mean, currently we've been talking about how jabber:iq:auth should
work with edigest. We could also make it possible to use edigest for
jabber:iq:register, that way your password would never be exposed to
the server, not even during registration. The disadvantage is that the
server can't make any checks to see if the password is any good (in
other words refuse password like "root", "god and "sex" or that equal
the username) but I'm sure some paranoid people would like it.
Software Engineer @ Splendo
More information about the Standards