[standards-jig] Refreshing the Thread: EDigest

Matt Tucker matt at jivesoftware.com
Thu May 29 00:29:38 UTC 2003


David,

Agreed, those are my sentiments as well. If we're going with SASL, let's 
really go with it and not extend auth further. JEP 73 says you can only 
not support SASL if is it "difficult or impossible to implement". Also, 
if XMPP "requires" the use of SASL, then isn't it safe to assume that it 
will be extremly widely adopted? :) Dave W -- who are the people that 
need edigest so urgently that it can't be implemented through SASL instead?

Regards,
Matt

David Waite wrote:
> Richard Dobson wrote:
> 
>> Edigest seems fine to me now, its just an extra option for those that 
>> want
>> it, my only real beef was with the suggestion of depresiating standard
>> digest in favour of this, but as that is not going to be done now it all
>> seems fine to me.
>>
> I've decided I'm very much opposed to this being within a 
> standards-track JEP.
> 
>  From the XMPP charter:
> 
> "A major goal of the working group will be to extend the current XMPP
> protocols to provide finished support for RFC 2779-compliant security
> mechanisms, including authentication, privacy, access control and
> end-to-end as well as hop-by-hop message security."
> 
> The JSF supported the IETF effort ot perform security enhancements, but 
> now we are saying in this forum that the mechanisms proposed aren't good 
> enough, without even bringing this to their attention.
> 
> jabber:iq:auth should only be for providing compatibility with pre-XMPP 
> clients. Any 'enhancements' from this point forward should be done as 
> new SASL mechanisms. If SASL is too hard for non-desktop clients to 
> support, we need to bring this to the XMPP working group _now_. By my 
> measurements though, the solid differences between the two is requiring 
> Base64 rather than lowercase hexadecimal encoding, and MD5 instead of 
> SHA1. (to support both the MD5 DIGEST and PLAINTEXT  SASL mechs)
> 
> So either we are enhancing security outside the XMPP effort and the IETF 
> (which seems horribly wrong to me both technically and politically), or 
> we are making a major change which does not enhance security (which is 
> just dumb).
> 
> If someone wants to make this informational, I'm all for it. From my 
> cursory glance, it does not expose any new security problems, but I am 
> not a security export.However,  unless someone manages to bring 
> arguments to my attention which haven't been in the previous barrage of 
> email on the subject, I'm very much a solid -1 on a standards-track JEP 
> 78 containing this. If a SASL mechanism for edigest is proposed, I'm 
> fine with it going into JEP 77, since the IETF has no in-band 
> registration standards.
> 
> -David Waite
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig




More information about the Standards mailing list