[JDEV] New Secure Authentication Mechanism
David Waite
mass at akuma.org
Sun May 19 12:12:21 CDT 2002
Chris Chen wrote:
> Hi,
>
> Has anyone considered RFC 2945 (SRP implementation) as perhaps an
> alternative form of authentication for Jabber?
>
> I personally think that 0k authentication is a little unwieldy because
> you have to periodically update the counter when it hits zero.
>
> With SRP, password authenticate is transmitted securely without a need
> for certificate-based or public key-based authentication.
>
> What do you guys think?
>
> Chris
Its definately an interesting algorithm; I wish I remembered enough math
from school right now to figure it out right now :-)
You wouldn't on an off-chance know what is going on with them getting a
SASL-mechanism registered, do you?
(http://www.ietf.org/internet-drafts/draft-burdis-cat-srp-sasl-06.txt)
The big disadvantage would be the need to do rather painful math on the
server and clients. I'm sure this collapses down somewhat, but I don't
remember my college math right now :-)
Right now it is very tough to add new authentication mechansisms to
Jabber; hopefully something SASL-like will be proposed to make this easier.
-David Waite
More information about the JDev
mailing list