[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Piotr Szturmaj gacek999 at tlen.pl
Mon Jul 17 19:33:46 UTC 2006

> RFC 3920 says we use SASL, which includes mechanisms such as Kerberos,
> DIGEST-MD5, and mutual authentication using X.509 certificates, etc. In
> general we are pushing people to use those methods rather than trying to
> upgrade the old methods documented in JEP-0078. If Kerberos, DIGEST-MD5,
> and X.509 are not secure enough for you, I suggest that you may have a
> future in IETF protocol development. ;-)

SALS is enought for authentication for me, you probably miss my whole point 
;-) All I want is storing hashes on disk instead of plain text passwords 
(even encrypted). Currently this is impossible because I need to specify 
original password instead of hash (like in In-Band Registration). I *must* 
store original pass. Even if my client will hash it and use this hash like 
password, I will lose possibility to login from other client. Lets assume 
that passwords are hashed on server side, nobody (even administrator) can 
retrieve password, that's ok. But anyone can do it on client side. All I 
want is to make it impossible. 

More information about the Standards mailing list