[JDEV] Account information storage, plaintext?
Justin Karneges
justin-jdev at affinix.com
Tue Sep 16 16:54:12 CDT 2003
> Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best auth
> mechanisms we have to date) require both the client and the server to
> have access to the plaintext password. Thats enough reason for me.
Isn't it true that not all SASL mechanisms require plaintext passwords? This
should mean that a capable and properly configured server would not need
them.
Maybe the issue comes down to jabber:iq:register being incompatible with any
SASL mechanism that does not use plaintext passwords. If we nix iq:register,
does the problem go away? Maybe then the admin has to make a choice between
supporting anonymous registrations vs having a more-secure system.
-Justin
More information about the JDev
mailing list