Greg Hudson wrote:
On Tue, 2007-09-11 at 19:51 +0100, Dave Cridland wrote:
If I ruled the world, I'd mandate TLS+SCRAM, and have a SHOULD for
TLS+YAP (the latter being plaintext-equiv on the server, but only a
single round-trip, so great for mobiles).
You may be missing the most popular reason for sending plain-text
passwords to the server (over TLS, one hopes): it's the only way for the
server to check the password against an external verifier such as an
LDAP server, AD controller, or Kerberos KDC. (GSSAPI krb5 auth is much
better if you have an AD controller or Kerberos KDC, of course, but I
don't hold out much hope for that being universally implemented in
clients.)
Yes, I mentioned the same a few posts back - auth proxying can be done
across a variety of mechisms/deployments only with sasl plain (and the
deprecated jabber:iq:auth) in xmpp.
- Mridul
