[Standards-JIG] Re: JEP-0077: In-Band Registration

Peter Saint-Andre stpeter at jabber.org
Mon Jul 17 16:19:35 UTC 2006


Piotr Szturmaj wrote:
>> Sending the password in plain text is not insecure if the channel is
>> encrypted (SSL/TLS) and that's what the JEP recommends.
> 
> 
> Yes, that's ok. But passwords stored in DB/disk can be easily readed. For 
> example in client's config file password must be in plain text (eventually 
> encrypted, anyway decryption is rather easy).

Well, sure, but if someone has access to server machine then they can
decrypt the passwords anyway. Clients could encrypt the password or
never save the password (always prompt the user). Or we could start
using mutual authentication with X.509 certificates. Etc. And that use
case in JEP-0077 applies only to systems that store passwords anyway (if
we did mutual authentication with certificates, it would not apply).

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060717/f5ebc284/attachment.bin>


More information about the Standards mailing list