[standards-jig] Refreshing the Thread: EDigest
thoutbeckers at splendo.com
Wed May 28 13:01:11 UTC 2003
Matt Tucker <matt at jivesoftware.com> wrote on 28-5-2003 14:53:28:
>The proposal is a much stronger one with the changes, and I don't see
>any objections to it from a technical perspective. It is definitely an
>improvement over the standard digest methdod.
>However, I still have to wonder if it's a big enough improvement to be
>worthwhile as a standard? It doesn't provide wire security, could be
>solved on the application side through database encryption,
Actually, this can not be solved by simply encrypting the database.
Then, the password could still be intercepted, because it is still send
to the jabber server, or decrypted from the database. With edigest the
password is *never* send so it's not stored in the database either.
sha1(password+randomkey) can still be intercepted, but that's only
usefull for *that* specific account.
>and may not
>ever gain wide acceptance due to the entrenched use of normal digest.
True, but one of the good things about this proposal is that clients
that already implement digest can very easily implement edigist (not
quite true for SASL). As Dave pointed out way at the beginning of this
thread, escp. companies can be sensetive about this kind of thing, so
it's an easy way to help Jabber forward.
As for what SASL modes XMPP servers will support, I think the purpose
of choosing SASL is flexibility. Support will depend on what is needed
for that specific situation. I'm not aware if there is a SASL mode or
not that does what edigest tries to accomplish.
Software Engineer @ Splendo
More information about the Standards