[standards-jig] Refreshing the Thread: EDigest
dizzyd at jabber.org
Wed May 28 13:11:26 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday, May 28, 2003, at 06:53 America/Denver, Matt Tucker wrote:
> However, I still have to wonder if it's a big enough improvement to be
> worthwhile as a standard? It doesn't provide wire security, could be
> solved on the application side through database encryption, and may
> not ever gain wide acceptance due to the entrenched use of normal
> digest. Maybe this isn't
Look, you don't have to implement it. But there will be support for
edigest in at least 3 servers now -- so there are some people who find
it a useful enough addition that they are willing to implement it.
> enough to reject it though, since choice is indeed good. :) However,
> one thing to consider -- would using edigest prevent servers from
> supporting SASL in any way? IE, do most SASL modes require the server
> to have a copy of the plain text password (I have no idea)? For
> example, one SASL library I found supports the following options for
> What modes do we anticipate XMPP servers supporting? Since SASL seems
> to be what everyone is aiming for as the main protocol, perhaps it
> would be good to consider all the other auth protocols in relation to
> it briefly?
According to the IETF spec (which is now in Last Call), the only
"Mandatory to Implement" authentication SASL protocol is DIGEST-MD5.
I would reiterate, however, that the jabber:iq:auth namespaces are
meant to be orthogonal to the SASL auth mechanisms. You can have one or
the other -- there's no requirement for them to both work off the same
password store. As such, I'm honestly not concerned about whether or
not SASL needs a plaintext password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards