[Standards] Proposed XMPP Extension: Best practices for password hashing and storage

Sam Whited sam at samwhited.com
Tue Apr 21 19:20:10 UTC 2020


Hi Dave et al,

I'm not against publishing this as an RFC. However, despite the broad
scope of this XEP making it a good fit for the IETF in some ways, I
think there is value in having a document that contains specific
recommendations for the public Jabber network (and a few more general
recommendations so that implementors interested in improving their
security have one place to look). The goal of this document was also to
convince XMPP client and server developers in particular to follow some
of these best practices after I discovered at least one XMPP server in
the wild storing passwords in plain text. I have a feeling that they are
more likely to discover and read an XEP than they are an RFC. I also
think that the XSF might be a better place because this document
requires agility and regular review. Updates are more likely to be agile
(relatively) within the XSF. I would be very grateful to get your
further opinion on this.

All that being said, I will follow up with the KITTEN working group and
see what they think. Either way, it may be beneficial to go ahead and
publish this—if the council has no objections, of course—and if it ends
up being superseded by an RFC, or if I have to maintain an XEP and an
I-D version of it in parallel for a while, that shouldn't be too much of
a problem and I am willing to shoulder the workload to keep both up to
date until one document becomes definitive.

—Sam


On Tue, Apr 21, 2020, at 14:41, Dave Cridland wrote:
> However, I would like to encourage the author to approach the IETF
> KITTEN working group to see if there's interest in publishing through
> that route instead, as I think it'd gain more qualified review and
> therefore more value.
>
> But if they don't want to put in the effort to see it published as an
> RFC, then I'm happy that we publish.


More information about the Standards mailing list