Justin Karneges wrote: > On Sunday 25 January 2009 10:30:39 Dirk Meyer wrote: >> If you only do SASL, you can not be sure that someone changes the data >> after the SASL authentication. Maybe you don't need to if you trust the >> XMPP servers involved. > > It depends on the SASL mechanism. With DIGEST-MD5, for example, you can have > a mutually authenticated session with integrity protection (and encryption).
I did not know that. > I think our e2e proposal should promote TLS + SASL EXTERNAL as the common > case, but we should not require TLS and we should allow any SASL mechanism. > This way, someone could create a password-based service running at a JID. It may get things more complicated, but agree, it should be considered. This seems to be the logical choise for communicating with external (web) services. Dirk -- The three most dangerous things are a programmer with a soldering iron, a manager who codes, and a user who gets ideas. _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
