[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Evan Prodromou evan at prodromou.san-francisco.ca.us
Wed May 28 17:30:04 UTC 2003


>>>>> "JH" == Joe Hildebrand <JHildebrand at jabber.com> writes:

    JH> 1) I agree with Tijl here that Choice is Good.  We're going to
    JH> implment something in this space in the short term, probably,
    JH> so we figured it might be good to talk about it in public
    JH> first.  We've got customers for whom rot13 storage (or
    JH> equivalents) isn't good enough.

There are a bunch of other ways to address this problem besides
changing the namespace.

For example:

    1) Don't store passwords (duh).
    2) At registration time, use the hash of what the user enters as
       the password. Then, use <digest> as before.
    3) Use a real single-sign-on authentication mechanism, like
       client-side certs, kerberos, or Windows domain authentication.

I think edigest works, but it should probably be set up as a SASL
method rather than backwedged into jabber:iq:auth.

~ESP

-- 
Evan Prodromou
evan at prodromou.san-francisco.ca.us






More information about the Standards mailing list