On Wed Nov 9 14:46:19 2011, Jehan Pagès wrote:
> We can't do this here. It's not an impossible concept, but the
place to
> define such a standards would be in the IETF's Kitten working
group, not
> here. (In case anyone wonders, Kitten = "Son of Cat"; Cat =
"Common
> Authentication Technologies".)
>
> If this were to happen, then (and only then) there's be a
compelling reason
> for password changes to run through something different.
I don't really understand your remark. This is what and how this is
implemented in SCRAM (indeed defined by the IETF in the Kitten
Working
Group). SCRAM already allows this kind of features (never sending
anything other than encrypted data over the wire, server never
having
the actual password, etc.). This is actually what is based my XEP on
and why I thought now was the right time for a change, as we passed
to
SCRAM as a mandatory-to-implement technology.
Note that the XEP being flexible, it won't give any issue to any
other
server (even not using SCRAM), and I explain how to have something
similar to XEP-0077 with the PLAIN storage, but at least gives
security to all recent servers.
There exists no technology or framework for setting credentials in a
uniform and flexible manner for multiple authentication mechanisms.
Your XEP appears to aim to design such a framework.
My position is that this kind of work should not happen in the XSF -
we do not have the expertise.
So for this aspect of the proposal to happen, that needs work outside
of the XSF that we can build on.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
