On Wed, 12 Oct 2022 at 17:17, Jonas Schäfer <[email protected]> wrote:
> Title: SASL SCRAM Downgrade Protection > URL: https://xmpp.org/extensions/inbox/xep-downgrade-prevention.html Any attacker able to manipulate the data coming from the server such that the client sees a restricted set of TLS channel bindings can also manipulate the data coming from the server such that the client sees a restricted set of SASL mechanisms, removing SCRAM entirely. Moreover, if the client wants to use a stronger mechanism - let's say one of the OPAQUE mechanisms in development - then it loses this protection. Either way, I'd like more/different eyes on this - I'd highly recommend taking this work to the IETF Kitten working group and seeing what they say. Dave.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
