[jdev] Scope of current RFC3920 SASL implementation
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Sun Jan 25 15:49:15 CST 2009
On Sunday 25 January 2009 10:30:39 Dirk Meyer wrote:
> If you only do SASL, you can not be sure that someone changes the data
> after the SASL authentication. Maybe you don't need to if you trust the
> XMPP servers involved.
It depends on the SASL mechanism. With DIGEST-MD5, for example, you can have
a mutually authenticated session with integrity protection (and encryption).
I think our e2e proposal should promote TLS + SASL EXTERNAL as the common
case, but we should not require TLS and we should allow any SASL mechanism.
This way, someone could create a password-based service running at a JID.
-Justin
More information about the JDev
mailing list