[standards-jig] Refreshing the Thread: EDigest

David Waite mass at akuma.org
Wed May 28 23:59:36 UTC 2003

Richard Dobson wrote:

>Edigest seems fine to me now, its just an extra option for those that want
>it, my only real beef was with the suggestion of depresiating standard
>digest in favour of this, but as that is not going to be done now it all
>seems fine to me.
I've decided I'm very much opposed to this being within a 
standards-track JEP.

 From the XMPP charter:

"A major goal of the working group will be to extend the current XMPP
protocols to provide finished support for RFC 2779-compliant security
mechanisms, including authentication, privacy, access control and
end-to-end as well as hop-by-hop message security."

The JSF supported the IETF effort ot perform security enhancements, but 
now we are saying in this forum that the mechanisms proposed aren't good 
enough, without even bringing this to their attention.

jabber:iq:auth should only be for providing compatibility with pre-XMPP 
clients. Any 'enhancements' from this point forward should be done as 
new SASL mechanisms. If SASL is too hard for non-desktop clients to 
support, we need to bring this to the XMPP working group _now_. By my 
measurements though, the solid differences between the two is requiring 
Base64 rather than lowercase hexadecimal encoding, and MD5 instead of 
SHA1. (to support both the MD5 DIGEST and PLAINTEXT  SASL mechs)

So either we are enhancing security outside the XMPP effort and the IETF 
(which seems horribly wrong to me both technically and politically), or 
we are making a major change which does not enhance security (which is 
just dumb).

If someone wants to make this informational, I'm all for it. From my 
cursory glance, it does not expose any new security problems, but I am 
not a security export.However,  unless someone manages to bring 
arguments to my attention which haven't been in the previous barrage of 
email on the subject, I'm very much a solid -1 on a standards-track JEP 
78 containing this. If a SASL mechanism for edigest is proposed, I'm 
fine with it going into JEP 77, since the IETF has no in-band 
registration standards.

-David Waite

More information about the Standards mailing list