Fabio Forno <fabio.forno at gmail.com> writes: > 2009/9/14 Peter Saint-Andre <stpeter at stpeter.im>: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> The SASL SCRAM mechanism is currently in IETF Last Call: >> >> http://www.ietf.org/internet-drafts/draft-ietf-sasl-scram-07.txt >> >> This mechanism is intended to replace DIGEST-MD5. Does it make sense for >> the XMPP WG to specify SCRAM as mandatory-to-implement? > > Does SCRAM support a digest based auth like DIGEST-MD5 or, better, > does it allow secure authentication over an unsecure channel? Yes. (Of course it depend on your definition of "secure"..) > In that case definitively yes, since there many case in which I don't > need TLS, but at least i want to protect my credentials. You are still vulnerable to active attackers that hijack the connection after you have authenticated yourself. But I agree in some situations that is an acceptable risk. To use SCRAM (or CRAM-MD5 or DIGEST-MD5) you need a secure channel. If you used DIGEST-MD5 with security layers you will need SCRAM+TLS instead. SCRAM does not provide any SASL security layers. I hope you weren't using DIGEST-MD5 security layers, because they weren't that good... /Simon
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.