[JDEV] Re: SASL, deployment and coding

Matthew Beacher SyOp at Reigm.Com
Tue Feb 4 17:27:52 CST 2003 

Robert Norris wrote:
>>1) Can the User Registration that is built into SASL be used to join a 
>>Jabber Server or must the Jabber Registration system (as stated in 
>>http://www.jabber.org/protocol/registration.html ) be used? I ask 
>>because SASL has built in registration and authentication, and I am 
>>unsure how to tap into the SASL password files.
> 
> 
> This hasn't really been discussed in any detail. I would suggest joining
> the XMPP working group and bringing this question up there:
> 
>   http://www.jabber.org/cgi-bin/mailman/listinfo/xmppwg/

I'll read that as: Use the one built in the standered, not SASL as it is 
not in any clients.  So I ask, Anyone know how to interface with SASL 
password files?  I am guessing they are based on Unix Password Files.

> 
>>2) How felxable should a server be in the order of receved elements? 
>>Should a server be hard line on receving elements in the order listed, 
>>or should it be more open in the ordering, so long as all required 
>>elements are there?
> 
> 
> I'm not sure what you mean by this. Can you provide an example?

<message to='receve-id' from='send-id'>

fexable - Accept this code
hard line - elements not in correct order, dump line.

> 
> 
>>3) Has anyone else thought that all servers should require SASL 
>>encription level of at least 40 (read 40 bit encription), and that with 
>>this there should be an addition to Jabber:Server:DialBack and SASL so 
>>that Server to server comunications are encripted, because what is the 
>>good of a message that is only encripted some of the time.
> 
> 
> For backwards compatibility reasons, its not possible to enforce the use
> of SASL (and I doubt it ever will be). For guaranteed end-to-end
> security, its necessary to encrypt individual packets using GPG (or
> similar).
> 
> The XMPP working group are actively pursuing these issues. I suggest you
> subscribe to the list and get involved :)
> 
> Rob.
> 

Well, not for everyone, but all server and clients that support SASL 
must use it with a minimum level of encription.  And then make sure that 
   EVERYONE starts including SASL.  It is very easy to include IFF (if 
and only if) you use the cyrus SASL code relesed by Carnegie Mellon 
University.

Matt
SyOpReigm
http://www.Reigm.Com
http://sourceforge.net/projects/rjserver/

More information about the JDev mailing list