-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/15/09 6:20 AM, Simon Josefsson wrote: > Fabio Forno <fabio.forno at gmail.com> writes: > >> 2009/9/14 Peter Saint-Andre <stpeter at stpeter.im>: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> The SASL SCRAM mechanism is currently in IETF Last Call: >>> >>> http://www.ietf.org/internet-drafts/draft-ietf-sasl-scram-07.txt >>> >>> This mechanism is intended to replace DIGEST-MD5. Does it make sense for >>> the XMPP WG to specify SCRAM as mandatory-to-implement? >> Does SCRAM support a digest based auth like DIGEST-MD5 or, better, >> does it allow secure authentication over an unsecure channel? > > Yes. (Of course it depend on your definition of "secure"..) > >> In that case definitively yes, since there many case in which I don't >> need TLS, but at least i want to protect my credentials. > > You are still vulnerable to active attackers that hijack the connection > after you have authenticated yourself. But I agree in some situations > that is an acceptable risk. > > To use SCRAM (or CRAM-MD5 or DIGEST-MD5) you need a secure channel. If > you used DIGEST-MD5 with security layers you will need SCRAM+TLS > instead. SCRAM does not provide any SASL security layers. I hope you > weren't using DIGEST-MD5 security layers, because they weren't that > good... As mentioned, I don't think that anyone was using DIGEST-MD5 security layers in XMPP. If I'm wrong about that I'd love to be corrected. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqv+gQACgkQNL8k5A2w/vxsMACgk30mLadr5nWuLi4O92A7iAYg PPgAoMHpB0SPIqnBFSa7fQxRUVGFnJ5i =O+if -----END PGP SIGNATURE-----
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.