SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #96
Comments
duesee
added this to the
9. Higher-level, async-first, IMAP library for client- and server milestone
|
@gowthamgts: Do you attack me because I have requested the XZ update? |
|
Thanks for the hint, @gowthamgts! Some thoughts (and context): This issue asks to implement support for some SCRAM variants -- it doesn't "push for changes to sha256" as said on HN. To the best of my knowledge, there is nothing wrong with SCRAM -- to the contrary. Thus, I believe @Neustradamus opened this issue in good faith. Still, while you are here: SASL is old and complex. It's also literally the key to our online identity. Yet, it feels under-researched. Maybe we can use our energy to take a closer look on SASL implementations? (While I can't do much research on my own currently, I will happily assist anyone wanting to do so with tooling, expertise, etc.! Want to see that happen for quite some time now...) |
|
@Neustradamus definitely no. At this point in time I just wanted to be sure that people knew about the backdoor. You can definitely be a genuine user or a developer or a contributor or even a penguin on the internet. 🙂 @duesee understood. No harm no foul. These PRs were flagged by people earlier and just wanted to make sure this reached the maintainers of the projects. |
|
@duesee: Thanks for your answer, several people mix all. @gowthamgts: Strange, your messages are not clear:
You can follow my announcements here:
The good point, people speak about SCRAM "Salted Challenge Response Authentication Mechanism" security ;) Badly, some people or projects like only old unsecure mechanisms, some would like security improvements. cc: @canselcik, @WinkelCode, @timrobbins1, @sebpretzer, @sroussey, @masklinn, @Asmor (not sure). |
|
@Neustradamus had requesed me too for implementation of SCRAM (See this). What he has asked me to add is something which is genuine and supported by many RFCs. Implementation of those RFC's in my project was what he pursued. Apart from the followup on SCRAM implementation he has been helpful in few occassions to better organize my projects on github. At no point has he suggested me to include any code apart from suggesting which projects that have implemented SCRAM. IME he has always been sincere in interactions with me. |
|
@Neustradamus Please stop CCing people who reacted to an issue comment. |
|
@LeoniePhiline: Sorry, thanks for your message. |
|
@Neustradamus I've already explained here dude. I don't understand why you keep spamming and ccing me everywhere. If you're not guilty just move on. |
|
Why? Because people contact me about it. |
|
Thanks for the comments, but I feel this discussion is a bit of a distraction. If you disagree, write me an email and I'll unlock the discussion again. |
duesee
removed this from the
9.2 -- Higher-level, async-first, IMAP library for client- and server milestone
Dear @duesee,
Can you add supports of :
You can add too:
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
SCRAM-SHA-1(-PLUS):
-- https://tools.ietf.org/html/rfc5802
-- https://tools.ietf.org/html/rfc6120
SCRAM-SHA-256(-PLUS):
-- https://tools.ietf.org/html/rfc7677 since 2015-11-02
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
SCRAM-SHA-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
SCRAM-SHA3-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
-- https://tools.ietf.org/html/draft-melnikov-scram-bis
https://xmpp.org/extensions/inbox/hash-recommendations.html
-PLUS variants:
IMAP:
LDAP:
HTTP:
2FA:
IANA:
Linked to:
The text was updated successfully, but these errors were encountered: