[JDEV] digest and ldap and authentication

Max Horn max at quendi.de
Sun Jul 30 10:42:15 CDT 2000 

>You have this procedure right (and at least the hooks for eventually
>adding SSL are already there in Jabber, just nobody has
>implemented it yet) :).

Actually, I've implemented SSL in Jabbernaut... but I do not verify 
certificates yet. Mainly due to lack of time on my side, I have to 
learn more about SSL & OpenSSL to learn how to do it. Thus, it's only 
partly useful.

>However, Stunnel works on UNIX and Windows ;).

Good. However, as long as server-to-server connections are *not* SSL 
protected, SLL connections server only one purpose: to protecte the 
password.

SSL for Server-to-server is a very problematic issue, though. Either 
we force to use *only* SSL connections, but this is unrealistic. Or 
we allow both, but then we can as well not use SSL as well, because 
the user can never know if his data is only submitted via a secure 
route...



>SSL is a much better solution because it's a known standard &
>would encrypt the entire session, not just the password.

That is exactly my opinion :-)


>If you're  using Jabber to do company meetings, you should want the entire
>conversation encrypted, not just the password (then again people
>make business decisions via email all of the time & that's not
>usually encrypted ;).

True (both <g>).


>It also would protect the password during user
>registration, which digest authentication does not do (thus IMHO,
>it's not really any more secure than traditional authentication
>because it can be sniffed during registration)

Of course, this all is only true if we trust the certificate...


>Eventually if SSL support was built in (e.g. not just stunnel)  to the
>client, then you could add in SSL client certificates which would
>allow for a much more secure form of authentication.

Hm, does one have to pay license if one wants to ship the VeriSign 
etc. master certs with an app (so one can verify certs) ??
As I stated above, I added SSL (using OpenSSL 0.9.5a) to my client. 
In fact, to do this, I reactived the (abandoned) Macintosh port of 
OpenSSL :-)
But I lack knowledge of SSL :-(. I will have to dig into the docs...

BTW, one does have to pay a yearly fee for VeriSign etc. certs, 
right? Hmm... Well, I suppose I need to have a DB, that stores certs. 
When I contact a server, it sends me its cert. I check it against my 
DB. If it's not contained there, I ask the user if he wants to trust 
it.



Bye,

Max
-- 
-----------------------------------------------------------
Max "The Black Fingolfin" Horn
<mailto:max at quendi.de>
<http://www.quendi.de> - please use my guestbook!

More information about the JDev mailing list