On 5/25/06, Dave Cridland <[EMAIL PROTECTED]> wrote:
On Thu May 25 11:21:36 2006, Norman Rasmussen wrote:
> Agreed, Psi shouldn't complain about Plain if it's TLS/SSL secured.
Yes it should.
Consider the case where the server is compromised. TLS privacy is
only good on the wire, so if you use PLAIN (or any plaintext password
mechanism), you've handed the attacker your password. So unless the
server cannot be compromised, a client has every right to complain.
If you use DIGEST-MD5, then the attacker only has a plaintext
equivalent good enough to authenticate with the compromised server,
and cannot obtain anything better from the authentication process on
the wire - if the server is compromised, therefore, you've lost
privacy, but not your password.
mmm, all true. Either way Ulrich's users are going to have to provide
their password in 'plain' format at least once to start using jabber.
(either via a script on the web-site or via sasl or iq plain)
--
- Norman Rasmussen
- Email: [EMAIL PROTECTED]
- Home page: http://norman.rasmussen.co.za/
