On 24.01.19 16:20, Evgeny wrote: > On Thu, Jan 24, 2019 at 6:11 PM, Florian Schmaus <[email protected]> wrote: >> Then you can't authenticate unless the server also stores the >> authentication data for SCRAM-SHA1. I guess that is your point. What is >> wrong with the server storing the required data to authenticate clients >> with eg. SCRAM-SHA1 or SCRAM-SHA256 (besides the implementation overhead >> argument)? Maybe I am missing something? > > I am not sure what you mean. I can only do that on the server > if I get plain password from the client which is something SCRAM > was designed to prevent if I understand it correctly.
I don't think that SCRAM was designed to prevent handing over the plaintext password *on account creation*. Although reducing the exposure of the plaintext password is always a good idea. That is why modern challenge response authentication mechanism do not require the server to *store* the password in plaintext. That was/is one design goal of SCRAM. Happy to stand corrected. > Also, the problem still remains with upgrading existing > SHA-1 to SHA-256/384/512/whatever and if I don't upgrade it there > is possibility to create interop problem again, unless a client > 1) supports all previous SHA versions > 2) doesn't treat previous SHA versions as a downgrade attack I agree that a few words about future interoperability would be nice. Although I think that there is possibly not much to say about it, besides that servers are encouraged to support both mechanisms for a certain time period. I am not sure if the XSF is the right venue, since it is an IETF standard and other protocols using SASL should also be affected. May I suggest to ask for opinions on this on the kitten WG [1] mailing list? - Florian 1: https://datatracker.ietf.org/wg/kitten/about/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
