> > Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best > > auth mechanisms we have to date) require both the client and the > > server to have access to the plaintext password. Thats enough reason > > for me. > > Isn't it true that not all SASL mechanisms require plaintext > passwords? This should mean that a capable and properly configured > server would not need them.
Actually, it seems the even DIGEST-MD5 might not require a plaintext password. See another post I made to this thread about this. > Maybe the issue comes down to jabber:iq:register being incompatible > with any SASL mechanism that does not use plaintext passwords. If we > nix iq:register, does the problem go away? Maybe then the admin has > to make a choice between supporting anonymous registrations vs having > a more-secure system. Personally, I hate iq:register, and would love it to die. At the very least, the interactions between it and SASL would be great to know. The SASL way to do in-band registration is usually via a password transition - do a PLAIN auth, which gets stored. Then, next time, you do DIGEST-MD5 or whatever - you don't even get offered PLAIN. But I'd really like to just do away with in-band registration altogether. -- Robert Norris GPG: 1024D/FC18E6C2 Email+Jabber: [EMAIL PROTECTED] Web: http://cataclysm.cx/
pgp00000.pgp
Description: PGP signature
