On 12/18/09 9:17 AM, Dave Cridland wrote: > On Fri Dec 18 15:41:39 2009, Peter Saint-Andre wrote: >> On 12/18/09 8:07 AM, Alexander Holler wrote: >> > Am 18.12.2009 14:58, schrieb Alexander Holler: >> >> Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5 >> >> the server has to hash the clear-text password with a value the client >> >> provides. So the server needs the clear-text password. And if the >> server >> >> is able to get the clear-text password, everyone with the same >> rights on >> >> the server can retrieve the clear-text passwords too. >> > >> > The solution to this problem are public key algorithms. So using >> > (enforcing) client-side SSL certificates would do the trick. >> > >> > Maybe a XEP which defines how a client sends his (public part of the) >> > certificate during the registration process would be a practical >> solution. >> >> Yes, I've been thinking about that for a while, but I haven't had time >> to write up a document about it. I think we might want to avoid X.509 >> (with its dependency on ASN.1 etc.) and instead use simple RSA keys as >> in XEP-0189. But I'll give it more thought soon. > > I agree that ASN.1 isn't terribly easy, but it's all just blobs, really > - it strikes me as simpler to just reuse existing self-signed cert > generation code for the purpose.
The case I've been thinking about in relation to XEP-0189 (and things that might be built on top of it) is end-to-end encryption by web clients. We had some hallway discussion about that at IETF 74. Until and unless someone writes a TLS and X.509 stack in JavaScript, web clients will be out of luck. Something simpler might be preferable. But that's a bigger topic and might belong on another mailing list. :) > Plus, that gains you the ability to tap into sometmes quite advanced > X.509 personal key stores on some operating systems. As someone who uses a client certificate, I agree that's a good thing. Naturally, you could sign your RSA key with your X.509 cert or OpenPGP key or other such material. But, again, that might be a topic for another time and place... Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
