[standards-jig] Small Footprint Clients and Authentication

Evan Prodromou evan at prodromou.san-francisco.ca.us
Fri May 30 01:07:00 UTC 2003

>>>>> "TH" == Tijl Houtbeckers <thoutbeckers at splendo.com> writes:

    TH> It is however very relevant for the iq:auth vs. SASL
    TH> discussion. I'm not very up to date on SASL yet, but from what
    TH> I've read here it *requires* support for MD5. This would mean
    TH> that once iq:auth will be deprecated the requirments to
    TH> implement jabber will be significantly greater.

You're a little upside-down. XMPP-SASL allows PLAIN (RFC 2595)
authentication as one of the authentication mechanisms -- it's even in
the examples. However, section 11.5 of the XMPP spec requires support

You should probably comment on the XMPP draft and suggest that
DIGEST-MD5 become a SHOULD requirement for SASL authentication (down
from a MUST). If very small footprint clients can't handle the
codespace for digest-based authentication, they shouldn't have to go
chasing after alternative authentication methods.

Ditto for TLS, of course.

    TH> I'll see if I can find some time in the next days to provide
    TH> some examples on how much spaces these methods (and an
    TH> estimate of SASL) would approximaltly take up in J2ME, and
    TH> post some device-specs to go along with them.

Don't bother on my part. I think we've got to the crux of the
matter. I'm convinced that support of digest authentication -- whether
jabber:iq:auth or XMPP-SASL -- would be some burden for
very-small-footprint clients.

I think the root of the problem here is that the XMPP's requirement
that DIGEST-MD5 authentication MUST be supported should be downgraded
to a SHOULD. This would allow small-footprint clients to use plaintext
passwords within the framework of XMPP.


Evan Prodromou
evan at prodromou.san-francisco.ca.us

More information about the Standards mailing list