[Standards-JIG] Re: JEP-0077: In-Band Registration
stpeter at jabber.org
Mon Jul 17 16:19:35 UTC 2006
Piotr Szturmaj wrote:
>> Sending the password in plain text is not insecure if the channel is
>> encrypted (SSL/TLS) and that's what the JEP recommends.
> Yes, that's ok. But passwords stored in DB/disk can be easily readed. For
> example in client's config file password must be in plain text (eventually
> encrypted, anyway decryption is rather easy).
Well, sure, but if someone has access to server machine then they can
decrypt the passwords anyway. Clients could encrypt the password or
never save the password (always prompt the user). Or we could start
using mutual authentication with X.509 certificates. Etc. And that use
case in JEP-0077 applies only to systems that store passwords anyway (if
we did mutual authentication with certificates, it would not apply).
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards