[Standards] Proposed XMPP Extension: Best practices for password hashing and storage

Dave Cridland dave at cridland.net
Tue Apr 21 21:56:34 UTC 2020


On Tue, 21 Apr 2020 at 20:20, Sam Whited <sam at samwhited.com> wrote:

> Hi Dave et al,
>
> I'm not against publishing this as an RFC. However, despite the broad
> scope of this XEP making it a good fit for the IETF in some ways, I
> think there is value in having a document that contains specific
> recommendations for the public Jabber network (and a few more general
> recommendations so that implementors interested in improving their
> security have one place to look). The goal of this document was also to
> convince XMPP client and server developers in particular to follow some
> of these best practices after I discovered at least one XMPP server in
> the wild storing passwords in plain text. I have a feeling that they are
> more likely to discover and read an XEP than they are an RFC. I also
> think that the XSF might be a better place because this document
> requires agility and regular review. Updates are more likely to be agile
> (relatively) within the XSF. I would be very grateful to get your
> further opinion on this.
>
> All that being said, I will follow up with the KITTEN working group and
> see what they think. Either way, it may be beneficial to go ahead and
> publish this—if the council has no objections, of course—and if it ends
> up being superseded by an RFC, or if I have to maintain an XEP and an
> I-D version of it in parallel for a while, that shouldn't be too much of
> a problem and I am willing to shoulder the workload to keep both up to
> date until one document becomes definitive.
>

This sounds like an ideal way forward.

We can easily deprecate a XEP in favour of an RFC, or change it to point at
the RFC for the "guts" and add the XMPP specifics on top, but even if all
this effort results in is one or two reviews of the XEP from KITTEN people,
that's a positive outcome.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200421/0d4fe172/attachment.html>


More information about the Standards mailing list