[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]
Robin Redeker
elmex at x-paste.de
Thu Sep 13 01:59:07 CDT 2007
On Wed, Sep 12, 2007 at 01:53:37PM +0100, Ian Paterson wrote:
> Peter Saint-Andre wrote:
> >Ian Paterson wrote:
> >
> >>In real life servers will always be compromised (especially in cases
> >>where the attacker is the service provider). So SASL PLAIN still
> >>contains a serious vulnerability that is easily fixed in those cases
> >>where DIGEST-MD5 is a practical option.
> >>
> >
> >Except that DIGEST-MD5 is effectively being deprecated by the IETF. Thus
> >the interest in SCRAM, YAP, and their ilk.
> >
>
> With all due respect to the experts at the IETF, I feel (as a
> non-expert) that they are trying to depricate DIGEST-MD5 before it has a
> suitable replacement (i.e. another one that protects users' passwords
> from a compromised server). I strongly agree we should recommend/require
> SCRAM and/or YAP as soon as they are baked. But is that likely to happen
> before 3920bis is puiblished?
>
> I agree that if we start recommending SASL PLAIN in addition to
> DIGEST-MD5 now, *and if we continue to do so in the future*, then we can
> ensure that current implementations will still be compatible with future
> implementations that have removed support for DIGEST-MD5.
>
> However I don't understand why we are considering recommending weakening
> the security of XMPP servers in the short and medium term by not
> requiring any of DIGEST-MD5 or SCRAM or YAP. Are XMPP implementors
> experiencing interoperability issues with DIGEST-MD5?
One problem we encountered when talking about JID escaping and actually
trying it in the real world:
http://thread.gmane.org/gmane.network.jabber.standards-jig/16309/focus=16466
The most obvious solution would be: Clients and Servers that have broken
DIGEST-MD5 implementations should fix them ASAP.
Problem with that solution is: Even if the SASL implementations are
fixed fast (within few weeks) there will still be a lot of old servers
out there and old clients. That of course causes no direct interop
problems as noone uses \ in their JIDs yet.
Robin
More information about the Standards
mailing list