On 12/18/09 8:07 AM, Alexander Holler wrote: > Am 18.12.2009 14:58, schrieb Alexander Holler: >> Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5 >> the server has to hash the clear-text password with a value the client >> provides. So the server needs the clear-text password. And if the server >> is able to get the clear-text password, everyone with the same rights on >> the server can retrieve the clear-text passwords too. > > The solution to this problem are public key algorithms. So using > (enforcing) client-side SSL certificates would do the trick. > > Maybe a XEP which defines how a client sends his (public part of the) > certificate during the registration process would be a practical solution.
Yes, I've been thinking about that for a while, but I haven't had time to write up a document about it. I think we might want to avoid X.509 (with its dependency on ASN.1 etc.) and instead use simple RSA keys as in XEP-0189. But I'll give it more thought soon. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
