[jdev] Re: Problem Connecting to GoogleTalk using my custom client
Stephen Pendleton
spendleton at movsoftware.com
Tue Oct 25 12:43:37 CDT 2005
In practical use, what are the advantages of TLS/SSL with SASL DIGEST-MD5
versus TLS/SSL with SASL PLAIN authentication? DIGEST-MD5 seems to be such a
pain to have to add on the client and server sides. I can imagine this is
why Google didn't implement DIGEST-MD5. Since the stream is already
encrypted using TLS/SSL does DIGEST-MD5 add some extra security that
warrants its "must-implement" status?
Thanks
-----Original Message-----
From: jdev-bounces at jabber.org [mailto:jdev-bounces at jabber.org] On Behalf Of
Peter Saint-Andre
Sent: Tuesday, October 25, 2005 12:46 PM
To: Jabber software development list
Subject: Re: [jdev] Re: Problem Connecting to GoogleTalk using my custom
client
Gary Burd wrote:
> On 10/25/05, Ralph Meijer <jabber.org at ralphm.ik.nu> wrote:
>> Hmm, so your implementation does not support DIGEST-MD5? Note that
>> XMPP Core requires implementing this.
>
> The Google Talk Service does not support DIGEST-MD5.
>
> To implement DIGEST-MD5, a server must store the user's password as
> plain text or store a specific hash of the user name and password.
> DIGEST-MD5 might take some work to implement if a server does not
> store passwords in one of these two formats to begin with.
We have two options:
1. Accept that Google Talk is not fully compliant with RFC 3920.
2. In rfc3920bis, change the must-implement to specify something other
than DIGEST-MD5 (perhaps advisable anyway, given recent demonstration of
problems with MD5).
Peter
--
Peter Saint-Andre
Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml
More information about the JDev
mailing list