[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Peter Saint-Andre stpeter at jabber.org
Mon Jul 17 20:21:48 UTC 2006


Chris Mullins wrote:
> Piotr Szturmaj Wrote:
> 
>> All I want is storing hashes on disk instead of 
>> plain text passwords (even encrypted). 
> 
> That's always been an issue with the legacy authentication types - the
> need to store the real password. Storing a hash + salt is certainly
> preferable. 

Well, I've been chatting with Piotr via IM, and his concern does seem to
be that the password gets stored on the client machine in plaintext. He
thinks that Jabber systems will be more secure if the credentials are
stored as a hash on the client machine. That way, even if a hacker gains
control of my machine, they'll have only the hash -- which makes it
trivial for the hacker to log into my Jabber account of course, but at
least the hacker won't be able to discover the plaintext (which I might
have used for other accounts or whatever). Also Piotr says this would
make it easier to switch between clients (I wouldn't have to give the
new client my plaintext password). Personally I still think this is an
implementation matter and that it's outside the scope of Jabber/XMPP
protocol definitions (if you want to secure your system, secure your
system through encrypted files or whatever). Better, I think, to go
forward into SASL land (X.509 certificates for end users, anyone?) than
to shore up jabber:iq:auth a la "edigest" or to attempt modifications to
the DIGEST-MD5 SASL mechanism (which is outside of our control, anyway).
But as always, maybe I'm missing something...

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060717/4675fd54/attachment.bin>


More information about the Standards mailing list