[Standards-JIG] Re: Re: JEP-0077: In-Band Registration
stpeter at jabber.org
Mon Jul 17 19:39:49 UTC 2006
Piotr Szturmaj wrote:
>> RFC 3920 says we use SASL, which includes mechanisms such as Kerberos,
>> DIGEST-MD5, and mutual authentication using X.509 certificates, etc. In
>> general we are pushing people to use those methods rather than trying to
>> upgrade the old methods documented in JEP-0078. If Kerberos, DIGEST-MD5,
>> and X.509 are not secure enough for you, I suggest that you may have a
>> future in IETF protocol development. ;-)
> SALS is enought for authentication for me, you probably miss my whole point
> ;-) All I want is storing hashes on disk instead of plain text passwords
> (even encrypted).
That's really an implementation issue, no?
> Currently this is impossible because I need to specify
> original password instead of hash (like in In-Band Registration).
Support for JEP-0077 is optional, and even then support for the change
password use case is optional.
> I *must*
> store original pass. Even if my client will hash it and use this hash like
> password, I will lose possibility to login from other client. Lets assume
> that passwords are hashed on server side, nobody (even administrator) can
> retrieve password, that's ok. But anyone can do it on client side. All I
> want is to make it impossible.
As I say,I think that's a client implementation issue. Does anything in
the protocols *force* the client to store the password in plaintext?
Jabber Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards