[standards-jig] Small Footprint Clients and Authentication

Peter Saint-Andre stpeter at jabber.org
Thu May 29 16:35:19 UTC 2003

On Wed, May 28, 2003 at 08:59:28PM -0700, Evan Prodromou wrote:

> So, I'm still trying to wrap my head around the small-footprint
> argument for using jabber:iq:auth as a non-deprecated parallel
> authentication algorithm.
> I'm just having a hard time believing that there are clients that can
> afford the codespace for creating SHA1 digests that can't afford the
> codespace for creating MD5 digests. AFAIK, the difference in
> complexity between the two is negligible, and if anything MD5 is
> easier (and faster).
> Or maybe it's the combination of MD5 + base-64 encoding? I dunno. Or
> that you can do a barebones plaintext jabber:iq:auth session without
> any transformation, but you need base-64 just to do plaintext
> authentication in the SASL framework?
> Could someone straighten me out on the advantage of jabber:iq:auth
> over XMPP SASL for small footprint clients?

I see several issues here:

1. There are no SASL-aware servers to test against. SASL-aware servers
will not be widespread on the Jabber network for some time to come. But
we want to do compliance testing rather soon, and it's unrealistic to
expect clients to do only SASL authentication when SASL-aware servers
are not available (or widely available). In fact, this would break the
network and would render our compliance testing meaningless.

2. The argument has been made to me that small-footprint clients can do
jabber:iq:auth but not SASL. I don't know whether that is true or not.
It may be immaterial given the facts outlined in point #1.

3. Both jabber:iq:auth and jabber:iq:register should be reviewed every
six months by the Jabber Council for possible deprecation (please see
Section 8 of JEP-0001 for details). I think they cannot be deprecated
now but should be deprecated in the future. Exactly when they will be
deprecated will be up to the Jabber Council, but I would expect that
this will not happen for another 12 to 18 months, depending on how
quickly the transition to SASL-aware servers occurs.

4. The addition of the "edigest" method is intended to move the old
jabber:iq:auth protocol closer to the level of password security (in
storage) provided by MD5. It is not really even a new method, but a
better implementation of the existing digest method. I think JEP-0078 
won't be deprecated for at least 18 months, and I also think that people
using this method don't particularly want their passwords to be stored
in the clear all that time (they should not have been stored that way
since 1999 either, but that is another issue).

I had a fifth point in my head but it's gone now so I'll leave it at
that. :)


Peter Saint-Andre
Jabber Software Foundation

More information about the Standards mailing list