[Security] SCRAM Implementations

Simon Josefsson simon at josefsson.org
Mon Apr 19 10:35:59 CDT 2010

"Mason, Matt" <Matt.Mason at agilysys.com> writes:

> Greetings -
> I have come to understand that the SCRAM - Salted Challenge Response
> Authentication Method is the most secure authentication method available
> for XMPP connectivity.  Can this list please verify that as well as
> point me to docs or published implementations?

SCRAM shouldn't be worse than CRAM-MD5 or DIGEST-MD5.  I believe the
revised XMPP will use SCRAM as mandatory-to-implement.

The specification is available from:


The document is in the RFC editor's queue waiting for the TLS channel
binding specification.

GNU SASL implements SCRAM, in stable release since November 2009.  It
will be included in the upcoming Ubuntu 10.04 LTS and Debian Squeeze
releases.  I've performed interop tests with several other implementers.



More information about the Security mailing list