[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Evan Prodromou evan at prodromou.san-francisco.ca.us
Thu May 29 03:17:26 UTC 2003


>>>>> "DS" == Dave Smith <dizzyd at jabber.org> writes:

    DS> You may want people to implement SASL, but I _know_ that they
    DS> will continue to use iq:auth. So what's the harm in having the
    DS> choice?

Choice is great for salad bars, but it sucks for standards.  It makes
implementation, verification, and interoperation all the more
difficult.

If SASL sucks -- and it does, for many reasons -- let's get rid of
it. Let's _not_ have a two-track authentication standard.

Also, did I mention the many-doors-make-insecure-houses argument?

Each authentication protocol that implementations have to support
means that much more code, which in turn means that many more bugs.
And, with the Jabber network, client-to-server authentication is very,
very important. A bug in _my_ authentication routines makes the
_entire_network_ susceptible.

I agree that people will continue to use j:i:a. Hell, anyone who does
a Jabber client or server implementation in the next 2-3 years without
supporting j:i:a would be an idiot. Not to mention that it's part of
Jabber IM Basic.

But j:i:a should be a dead end -- a lovingly-supported senile uncle
who we're all waiting to die. That's what deprecated protocols are all
about.

~ESP

-- 
Evan Prodromou
evan at prodromou.san-francisco.ca.us






More information about the Standards mailing list