Hi Dave :-) Dave Cridland wrote:
The scenario you mentioned above becomes significantly more difficult with ext in play, especially if predefined sets are the norm.
'ext' and pre-defined sets only improve security if the choice of a "weak" hash makes pre-image attacks "possible". So why don't we make things easier for everyone and simply recommend a stronger hash instead?
I agree that this is additional cost in terms of complexity, and I'd probably argue against it if it weren't mostly in place already.
Yes, several clients (but not all) have this in place. However, I sincerely hope and expect that the number of XMPP clients that will be developed in the future will be many times the number in existance today. It is far easier for the developers of existing clients to remove support for 'ext' than it will be for the developers of new clients to code support for 'ext'. The more simple we can make XEP-0115 (or any other protocol) the easier it will be to attract new developers to XMPP.
- Ian
