Standards May 2024

standards@xmpp.org

17 participants
12 discussions

STABLE: XEP-0398 (User Avatar to vCard-Based Avatars Conversion)

by Daniel Gultsch

Version 1.0.0 of XEP-0398 (User Avatar to vCard-Based Avatars Conversion) has been released. Abstract: This specification describes a method for using PEP based avatars and vCard based avatars in parallel by having the user’s server do a conversion between the two. Changelog: Accept as Stable as per Council Vote from 2024-04-30. (XEP Editor (dg)) URL: https://xmpp.org/extensions/xep-0398.html Note: The information in the XEP list at https://xmpp.org/extensions/ is updated by a separate automated process and may be stale at the time this email is sent. The XEP documents linked herein are up-to- date.

4 months

Fwd: [kitten] SCRAM-SHA512 and SCRAM-SHA3

by Matthew Wild

Hi folks, I'm forwarding this email that was posted to the IETF working group responsible for SASL improvements, because I think it is quite relevant to people here, yet many are probably not following the kitten mailing list. I'm aware that by now most XMPP projects have received feature requests to implement what are essentially obscure flavours of SCRAM, without much rationale beyond what can be paraphrased as "the numbers are bigger, and therefore better". If we decide to move the protocol and ecosystem beyond SCRAM-SHA-1 (which is required by the current RFC) and possibly SCRAM-SHA-256, it should be with the necessary attention paid to interoperability and security. All current feature requests I've seen lack this. ---------- Forwarded message --------- From: Simon Josefsson <simon=40josefsson.org(a)dmarc.ietf.org> Date: Thu, 2 May 2024, 09:20 Subject: [kitten] SCRAM-SHA512 and SCRAM-SHA3 To: <kitten(a)ietf.org> Hi I'm seeing push on implementers to add support for these variants, and I noticed new drafts were published recently. I want to repeat some earlier concerns. I believe the cost of having these two mechanisms as standard mechanisms in the ecosystem costs more than any advantages we would get out of them. There is still no cryptographic attack on HMAC-MD5, yet alone the HMAC-SHA1 or HMAC-SHA256 that are used in SCRAM-SHA1 and SCRAM-SHA256 that we are still seeing deployment of. Adding SCRAM-SHA512/SHA3 variants create additional requirements on hashed password database formats and APIs, since they are not compatible with SCRAM-SHA1 and SCRAM-SHA256. Parametrization of security protocols and algorithms are generally a bad idea as it adds complexity which reduce security. There is the negotiation interop problem if a server has one credential but not the other for a subset of users. If some people are using these variants, I would agree that having them documented is useful. Then I believe the category should be Informational rather than standards track, and warnings about the problems should be added. /Simon _______________________________________________ Kitten mailing list Kitten(a)ietf.org https://www.ietf.org/mailman/listinfo/kitten

4 months, 1 week

2024

2023

Standards May 2024 ----- 2024 ----- September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 ----- 2023 ----- December 2023

Standards May 2024