[standards-jig] Refreshing the Thread: EDigest

Dave Smith dizzyd at jabber.org
Wed May 28 13:11:26 UTC 2003

Hash: SHA1

On Wednesday, May 28, 2003, at 06:53 America/Denver, Matt Tucker wrote:

> However, I still have to wonder if it's a big enough improvement to be 
> worthwhile as a standard? It doesn't provide wire security, could be 
> solved on the application side through database encryption, and may 
> not  ever gain wide acceptance due to the entrenched use of normal 
> digest.  Maybe this isn't

Look, you don't have to implement it. But there will be support for 
edigest in at least 3 servers now -- so there are some people who find 
it a useful enough addition that they are willing to implement it.

> enough to reject it though, since choice is indeed good. :) However, 
> one thing to consider -- would using edigest prevent servers from 
> supporting SASL in any way? IE, do most SASL modes require  the server 
> to have a copy of the plain text password (I have no idea)? For 
> example, one SASL library I found supports the following options for 
> login:
> ..snip..
> What modes do we anticipate XMPP servers supporting? Since SASL seems 
> to be what everyone is aiming for as the main protocol, perhaps it 
> would be good to consider all the other auth protocols in relation to 
> it briefly?

According to the IETF spec (which is now in Last Call), the only 
"Mandatory to Implement" authentication SASL protocol is DIGEST-MD5.

I would reiterate, however, that the jabber:iq:auth namespaces are 
meant to be orthogonal to the SASL auth mechanisms. You can have one or 
the other -- there's no requirement for them to both work off the same 
password store. As such, I'm honestly not concerned about whether or 
not SASL needs a plaintext password.

Version: GnuPG v1.2.1 (Darwin)


More information about the Standards mailing list