Agreed, there are technical reasons for having passwords kept in plaintext.
4) It is acknowledged that a) the server will need to translated/send
these passwords in plain text, b) integration with other apps may
require password *stored* in plain text. (But please explain if there
is a good reason why this should be the default)
Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best auth
mechanisms we have to date) require both the client and the server to
have access to the plaintext password. Thats enough reason for me.
However
* Jabber 1.x at least sends the server administrator a copy of the plain text password when the user registers with the server (if the admin is setup to recieve information)
* The transport passwords could be encrypted with the "main" jabber password as the encryption key, so if you get a transport password it's useless without the jabberd password (on the other hand, getting the jabberd password is reasonably straight forward, if they are in plain text)
_______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
