> Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best auth > mechanisms we have to date) require both the client and the server to > have access to the plaintext password. Thats enough reason for me.
Isn't it true that not all SASL mechanisms require plaintext passwords? This should mean that a capable and properly configured server would not need them. Maybe the issue comes down to jabber:iq:register being incompatible with any SASL mechanism that does not use plaintext passwords. If we nix iq:register, does the problem go away? Maybe then the admin has to make a choice between supporting anonymous registrations vs having a more-secure system. -Justin _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
