On 5/25/06, Dave Cridland <[EMAIL PROTECTED]> wrote:
On Thu May 25 11:21:36 2006, Norman Rasmussen wrote:
> Agreed, Psi shouldn't complain about Plain if it's TLS/SSL secured.
Yes it should.
Consider the case where the server is compromised. TLS privacy is
only good on the wire, so if you use PLAIN (or any plaintext password
mechanism), you've handed the attacker your password. So unless the
server cannot be compromised, a client has every right to complain.
At HP, our server (Jabber Inc. XCP) uses TLS+plain. IT found that it
scaled *much* better that way. This is one of those real-world
compromises that security people have to work with sometimes.
But on an intranet you can trust the server moreso than on the Internet.
--
Psi webmaster (http://psi-im.org)
im:[EMAIL PROTECTED]
http://halr9000.com
