Am 18.12.2009 14:58, schrieb Alexander Holler:
Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5 the server has to hash the clear-text password with a value the client provides. So the server needs the clear-text password. And if the server is able to get the clear-text password, everyone with the same rights on the server can retrieve the clear-text passwords too.
The solution to this problem are public key algorithms. So using (enforcing) client-side SSL certificates would do the trick.
Maybe a XEP which defines how a client sends his (public part of the) certificate during the registration process would be a practical solution.
Regards, Alexander _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
