[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)

Kurt Zeilenga Kurt.Zeilenga at Isode.com
Tue Aug 25 13:58:43 UTC 2009


On Aug 25, 2009, at 3:40 AM, Tobias Markmann wrote:

> On Tue, Aug 25, 2009 at 8:18 AM, Kevin Smith <kevin at kismith.co.uk>  
> wrote:
> > 4. Do you have any security concerns related to this specification?
>
> Only in as much as it's a great big file with everyone's passwords in.
>
> Sure there are little servers supporting it and there doesn't seem  
> to be huge demand for it but maybe one should add support for other  
> encodings for the password. Currently it seems you have to use  
> plaintext there.

Because otherwise you have little mechanism agility.  That is, no  
ability to support mechanisms which have different mechanism specific  
hashes from those you chosen to store.

> For example one could also allow storage of the password via two  
> values(one for UTF8 and one for ISO 8859-1) of
> H( { username-value, ":", realm-value, ":", passwd } ) as it is used  
> in Digest-MD5 mechanism.

It would be nice if XEP 227 provided a format for indicating that a  
password is hashed by a particular algorithm.

However, I don't think we should require importing servers to support  
any particular algorithm other than cleartext.  If a server exports a  
Digest-MD5 hash but the importer only accepts plain text, it's up to  
the admin to resolve the problem (by resetting passwords of all users,  
or by convincing the developers of the importing server to add new  
features, or whatever).

That is, if you want exchange interoperability, export passwords as  
plain text.

> Similar method should be possible for future SCRAM mechanism.

And for SRP and ...,  but each will likely be different.

-- Kurt



More information about the Standards mailing list