On Donnerstag, 24. Januar 2019 21:03:27 CET Evgeny wrote: > On Thu, Jan 24, 2019 at 9:15 PM, Dave Cridland <[email protected]> > > wrote: > > XMPP-Grid (that draft) essentially says both servers and clients MUST > > implement EXTERNAL, SCRAM-SHA1, SCRAM-SHA1-PLUS, SCRAM-SHA-256, and > > SCRAM-SHA-256-PLUS. > > > > Is there any interest in updating our MTI? > > How can we require SHA-256 when we don't have any way to upgrade > existing deployments from SHA-1? Leaving the burden to the operators > again, because this is out of scope of XSF? :) > Some already suggested "solving" this by forcing password > renewal, but we don't have any mechanisms to do this in XMPP. > > I personally prefer: > 1) MUST for EXTERNAL and PLAIN > 2) SHOULD for SCRAM-SHA-X-Y (I'd prefer not to use SCRAM at all > given all the problems I have described in another thread)
My understanding is that Dave talks about Mandatory To Implement, which is something different than Mandatory To Deploy / Mandatory To Offer (at least that’s what I get from reading the relevant section in RFC 6120). I don’t see any harm in requiring SCRAM-* implementations, even taking into account the migration issues. kind regards, Jonas
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
