[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]

Mridul Muralidharan mridul at sun.com
Wed Sep 12 16:53:47 UTC 2007


Greg Hudson wrote:
> On Tue, 2007-09-11 at 19:51 +0100, Dave Cridland wrote:
>> If I ruled the world, I'd mandate TLS+SCRAM, and have a SHOULD for  
>> TLS+YAP (the latter being plaintext-equiv on the server, but only a  
>> single round-trip, so great for mobiles).
> 
> You may be missing the most popular reason for sending plain-text
> passwords to the server (over TLS, one hopes): it's the only way for the
> server to check the password against an external verifier such as an
> LDAP server, AD controller, or Kerberos KDC.  (GSSAPI krb5 auth is much
> better if you have an AD controller or Kerberos KDC, of course, but I
> don't hold out much hope for that being universally implemented in
> clients.)
> 
> 

Yes, I mentioned the same a few posts back - auth proxying can be done 
across a variety of mechisms/deployments only with sasl plain (and the 
deprecated jabber:iq:auth) in xmpp.

- Mridul



More information about the Standards mailing list