[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCRAM methods
|
From: |
Simon Josefsson |
|
Subject: |
Re: SCRAM methods |
|
Date: |
Wed, 15 Jan 2020 23:46:15 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Jeremy Harris <address@hidden> writes:
> On 15/01/2020 09:27, Simon Josefsson wrote:
>>> On 14/01/2020 22:19, Simon Josefsson wrote:
>>>> Please try version 1.9.1 and tell me if it does what you
>>>> want! There are new properties for ServerKey/StoredKey now.
>>>
>>> Yes, that works nicely for the server side.
>>> Client side in the next patch release?
>>
>> Currently I prefer to not implement ClientKey support -- there isn't
>> any security advantage with it as far as I can see. Stealing
>> SaltedPassword or ClientKey/StoredKey both make client and server
>> impersonation possible.
>>
>> I believe clients should store cleartext-password or the
>> SaltedPassword. Storing PBKDF2 values in clients is not that uncommon,
>> so there may be infrastructure in place for it in some environments --
>> whereas ClientKey/StoredKey are entirely SCRAM-specific.
>
> I'm fine with that; I fully understand the minimum-changes
> argument. I've updated the Exim implementation to match
> (and pushed to the repo I pointed you to, if you're using that).
>
> It'll go into the next release. Thanks for your work on this.
Yay, thank you! I'll release this as a new stable 1.10.0 once I have
worked through the QA cycle to do a stable release.
/Simon
signature.asc
Description: PGP signature
RE: SCRAM methods, - Neustradamus -, 2020/01/03
RE: SCRAM methods, - Neustradamus -, 2020/01/03
Re: SCRAM methods, Simon Josefsson, 2020/01/15