Not using PLAIN is insufficient - clients have to only use SCRAM, and in particular, variants of SCRAM that are considered secure.
So yes, if someone is deploying SCRAM-SHA256, this would detect a downgrade to SCRAM-SHA1, but only while SCRAM-SHA1 is proof against compromise. And while SCRAM-SHA1 *is* proof against compromise (modulo leaks of the server credential store), a downgrade to it isn't really something to worry about (and why is an attacker doing this?). I would therefore argue this provides no practical protection against downgrades of SASL mechanisms. Therefore, this is *at best* protecting against changing the channel binding type to support only channel binding types that the client does not support, or are weak enough to be under the attacker's control. Maybe it'd be better to start with a concrete example of an attack, demonstrate its utility to the attacker, and then show how this prevents the attack? Dave.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
