[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authPassword (RFC 3112) implemented?



Kurt Zeilenga writes:
> On Jul 15, 2007, at 6:59 AM, Hallvard B Furuseth wrote:
>> Pierangelo Masarati writes:
>>> AFAIK, the attribute and so is recognized, but it's not implemented
>>> (nor won't, as it is no longer needed).
>>
>> If it's no longer needed - what has changed?
>
> The technical needs haven't changed.  Folks now seem to be finally
> getting that they have a choice between: a) stronger (than PLAIN)
> authentication mechanisms (e.g., DIGEST-MD5, SCRAM, YAP, SRP, etc.)
> (and a single clear text password) or b) PLAIN.

I don't quite see the connection.  Those are protocol matters, while
{MD5} & co are about how the secret is stored on the server side.  There
are good reasons to use both variants, including security reasons.
Simple Auth and PLAIN do not require data to be stored on the server
side which is enough to authenticate to the server, short of a brute
force search.  Which admittedly is a *lot* cheaper now than a few years
ago.  DIGEST-MD5 and YAP (I think) do.  I think SRP and SCRAM do not,
but SCRAM is unfinished and the SRP SASL draft seems to have expired.

-- 
Hallvard