[standards-jig] Refreshing the Thread: EDigest

Dave Smith dizzyd at jabber.org
Wed May 28 13:14:36 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Wednesday, May 28, 2003, at 06:47 America/Denver, Tijl Houtbeckers 
wrote:

> I'm not sure how it'd be possible for digest to work if you don't store
> the password in plaintext? (since digest has to sha1(streamid + pass)).

Oh, I see. What I meant was that digest/plaintext could still be a 
valid option, it'd just have to use a plaintext version of the password 
(so you'd have to provide a plaintext and edigest version of your 
password during registration). Remember edigest is mutually exclusive 
to digest/plaintext for this very reason.

> I mean, currently we've been talking about how jabber:iq:auth should
> work with edigest. We could also make it possible to use edigest for
> jabber:iq:register, that way your password would never be exposed to
> the server, not even during registration. The disadvantage is that the
> server can't make any checks to see if the password is any good (in
> other words refuse password like "root", "god and "sex" or that equal
> the username) but I'm sure some paranoid people would like it.

Well, technically you could write a module that takes a dictionary and 
uses the "random id" to generate hashes of those passwords to ensure 
that people don't use easy to guess words.

I think there is still some clarification needed around how edigest 
fits into iq:register -- I'll work with stpeter to clarify this in the 
JEP so that everyone can see all the pieces put together.

Diz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+1LY8YNE3chVHHsMRAq8QAJ4+u6T8n1JzXvvZyKaqwmLZWNFXXgCgtcHB
bLkW53itkENZhGN3zE4Rsq8=
=2rXv
-----END PGP SIGNATURE-----




More information about the Standards mailing list