[standards-jig] Refreshing the Thread: EDigest

Tijl Houtbeckers thoutbeckers at splendo.com
Wed May 28 12:47:28 UTC 2003


Dave Smith <dizzyd at jabber.org> wrote on 28-5-2003 14:39:09:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>On Wednesday, May 28, 2003, at 04:30 America/Denver, Tijl Houtbeckers 
>wrote:
>
>Yup, you could continue to have plaintext/digest enabled.

I'm not sure how it'd be possible for digest to work if you don't store 
the password in plaintext? (since digest has to sha1(streamid + pass)). 

>> I assume this will end up in a JEP eventually, do you intend to just
>> cover :auth, or :register too? I assume I'd be desirable in some 
>> cases not to expose the password during registration either.
>
>Yes, I'm hoping to get stpeter to include this in the standards-track 
>JEP. I'm not sure what you mean by "just cover :auth or :register"....

I mean, currently we've been talking about how jabber:iq:auth should 
work with edigest. We could also make it possible to use edigest for 
jabber:iq:register, that way your password would never be exposed to 
the server, not even during registration. The disadvantage is that the 
server can't make any checks to see if the password is any good (in 
other words refuse password like "root", "god and "sex" or that equal 
the username) but I'm sure some paranoid people would like it. 

-- 
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands




More information about the Standards mailing list