In practical use, what are the advantages of TLS/SSL with SASL DIGEST-MD5 versus TLS/SSL with SASL PLAIN authentication? DIGEST-MD5 seems to be such a pain to have to add on the client and server sides. I can imagine this is why Google didn't implement DIGEST-MD5. Since the stream is already encrypted using TLS/SSL does DIGEST-MD5 add some extra security that warrants its "must-implement" status?
Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Saint-Andre Sent: Tuesday, October 25, 2005 12:46 PM To: Jabber software development list Subject: Re: [jdev] Re: Problem Connecting to GoogleTalk using my custom client Gary Burd wrote: > On 10/25/05, Ralph Meijer <[EMAIL PROTECTED]> wrote: >> Hmm, so your implementation does not support DIGEST-MD5? Note that >> XMPP Core requires implementing this. > > The Google Talk Service does not support DIGEST-MD5. > > To implement DIGEST-MD5, a server must store the user's password as > plain text or store a specific hash of the user name and password. > DIGEST-MD5 might take some work to implement if a server does not > store passwords in one of these two formats to begin with. We have two options: 1. Accept that Google Talk is not fully compliant with RFC 3920. 2. In rfc3920bis, change the must-implement to specify something other than DIGEST-MD5 (perhaps advisable anyway, given recent demonstration of problems with MD5). Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml
