[standards-jig] Refreshing the Thread: EDigest
dizzyd at jabber.org
Wed May 28 13:14:36 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday, May 28, 2003, at 06:47 America/Denver, Tijl Houtbeckers
> I'm not sure how it'd be possible for digest to work if you don't store
> the password in plaintext? (since digest has to sha1(streamid + pass)).
Oh, I see. What I meant was that digest/plaintext could still be a
valid option, it'd just have to use a plaintext version of the password
(so you'd have to provide a plaintext and edigest version of your
password during registration). Remember edigest is mutually exclusive
to digest/plaintext for this very reason.
> I mean, currently we've been talking about how jabber:iq:auth should
> work with edigest. We could also make it possible to use edigest for
> jabber:iq:register, that way your password would never be exposed to
> the server, not even during registration. The disadvantage is that the
> server can't make any checks to see if the password is any good (in
> other words refuse password like "root", "god and "sex" or that equal
> the username) but I'm sure some paranoid people would like it.
Well, technically you could write a module that takes a dictionary and
uses the "random id" to generate hashes of those passwords to ensure
that people don't use easy to guess words.
I think there is still some clarification needed around how edigest
fits into iq:register -- I'll work with stpeter to clarify this in the
JEP so that everyone can see all the pieces put together.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Standards