On Wed, Mar 4, 2015 at 4:52 PM, Stephen Frost <sfr...@snowman.net> wrote:

> A lot of discussion has been going on with SCRAM and SASL, which is all
> great, but that means we end up with a dependency on SASL or we have to
> reimplement SCRAM (which I've been thinking might not be a bad idea-
> it's actually not that hard), but another suggestion was made which may

I'd really rather not add a dependency on SASL if we can avoid it. I
haven't read up on SCRAM, but if it's reasonable enough to reimplement - or
if there is a BSD licensed implementation that we can import into our own
sourcetree without adding a dependency on SASL, that sounds like a good way
to proceed.

> be worthwhile to consider- OpenSSL and GnuTLS both support TLS-SRP, the
> RFC for which is here: http://www.ietf.org/rfc/rfc5054.txt.  We already
> have OpenSSL and therefore this wouldn't create any new dependencies and
> might be slightly simpler to implement.

OpenSSL is not a *requirement* today, it's an optional dependency.  Given
it's license we really can't make it a mandatory requirement I think. So if
we go down that route, we still leave md5 in there as the one that works

Also AFAICT TLS-SRP actually requires the connection to be over TLS - so
are you suggesting that TLS becomes mandatory?

It sounds like something that could be interesting to have, but not as a
solution to the "md5 problem", imo.

 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Reply via email to