Originally posted by David O'Meara:
What do you mean by zero-knowledge? Are you refering to a proprietary protocol where the security is based on intermediate viewers not knowing how to read the data?
The zero-knowledge authentication scheme for Jabber is unique to Jabber (invented for Jabber use). It basically works by establishing a standized
pattern for password generation. The client starts by telling the server the first password, and some data that is used to generated it. This pattern involves a standard way for generating the next password in the password sequence without knowing what the previous password is (digests of digests).
The next time the client wants to authenticate, it sends the previous password, and the server confirms it by taking that previous password and generating the next password (the one it should have stored). If it matches, the server stores the new previous password as the current password and throws out the old one. So I guess its more accurate to say that the server only stores a one time use pasword that is immediately invalidated once it is succesfully used.
What about emulating the standard HTTP authentication mechanisms, password digests (ie one way functions) being the obvious exclusion...
You could make use of SSL to encrypt clear text password transport, but if you're working in a client/server world where you control the client and the server, digests would be a simple inclusion.
There is currently work underway to switch Jabber over to using SASL for encryption and authentication. All the internet protocols are moving over to SASL so I think this is a great move and essentially achieves what you are suggesting. SASL is a pluggable security system and is being adopted for HTTP, POP, etc. Check out the ietf (www.ietf.org) for more info on it.
-iain