[standards-jig] Refreshing the Thread: EDigest

Tijl Houtbeckers thoutbeckers at splendo.com
Wed May 28 13:01:11 UTC 2003


Matt Tucker <matt at jivesoftware.com> wrote on 28-5-2003 14:53:28:
>
>Dave,
>
>The proposal is a much stronger one with the changes, and I don't see 
>any objections to it from a technical perspective. It is definitely an 
>improvement over the standard digest methdod.
>
>However, I still have to wonder if it's a big enough improvement to be 
>worthwhile as a standard? It doesn't provide wire security, could be 
>solved on the application side through database encryption,

Actually, this can not be solved by simply encrypting the database. 
Then, the password could still be intercepted, because it is still send 
to the jabber server, or decrypted from the database. With edigest the 
password is *never* send so it's not stored in the database either. 
sha1(password+randomkey) can still be intercepted, but that's only 
usefull for *that* specific account. 

>and may not 
>ever gain wide acceptance due to the entrenched use of normal digest. 

True, but one of the good things about this proposal is that clients 
that already implement digest can very easily implement edigist (not 
quite true for SASL). As Dave pointed out way at the beginning of this 
thread, escp. companies can be sensetive about this kind of thing, so 
it's an easy way to help Jabber forward. 

As for what SASL modes XMPP servers will support, I think the purpose 
of choosing SASL is flexibility. Support will depend on what is needed 
for that specific situation. I'm not aware if there is a SASL mode or 
not that does what edigest tries to accomplish. 


-- 
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands




More information about the Standards mailing list