Just a quick note on the just-ended SASL WG meeting at IETF70, which
I listened to and read through on the chatroom. Of importance to
XMPP/XSF:
DIGEST-MD5 is likely to be made historic soon - the document will be
going to working group last call very shortly. This is okay, I think
as...
SCRAM is looking near completion, however there is a significant
proportion of the WG which would like to see it as a GS2 (ie, GSSAPI)
mechanism, exposed through SASL. I'm personally a little nervous
about this, I'm thinking in particular that this may cause additional
implementation complexity. If you have a strong opinion either way,
you may wish to join the WG and make your feelings known.
There was also a discussion about legacy authentication mechanisms,
and, in particular, how clients ought to choose between (for example)
a legacy plaintext mechanism like XEP-0078 and SASL PLAIN. The
consensus seemed to be that it's up to the protocol to tell clients
what to do. I think XEP-0078 covers us for this - it clearly states
it's deprecated - but we may want to review that and double-check.
Finally, I had an interesting chat with Nico Williams on channel
binding, which might help people understand that area of security a
little better. It's at the end of the logs, which I can't quite
recall a URL for, but I'll dig one out if anyone wants it.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
