Hi Peter, > In any case, if the client has a local policy not to use PLAIN (or other > mechanisms that it considers to be too weak), then it simply wouldn't > use those in case of a downgrade attack. Similar policies are in place > already for things like old versions of TLS, see here:
> https://datatracker.ietf.org/doc/html/draft-ietf-uta-rfc7525bis-11#section-3.2 Yes, but if you'll leave PLAIN aside, even different flavors of SCRAM have different protection levels. If, for example, SCRAM-SHA-1 is deemed broken one day, server operators most probably will still have to support it for some time, until all clients have upgraded their policy to not support SCRAM-SHA-1 anymore. Not to mention that some server operators may not be aware of this newly discovered SCRAM SHA-1 weakness at all. In this timeframe, an attacker could still downgrade the connection to SCRAM- SHA-1 even though this is insecure now. Policies are always a hard cut creating timeframes of opportunity for attackers. Having a downgrade-protection in place will close this timeframe of opportunity altogether. -tmolitor _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
