From julien at trigofacile.com  Mon Jul 31 12:06:01 2023
From: julien at trigofacile.com (=?UTF-8?Q?Julien_=c3=89LIE?=)
Date: Mon, 31 Jul 2023 21:06:01 +0200
Subject: [NNTP] Defining a new interoperable SASL mechanism for AUTHINFO
Message-ID: <6c02223d-90ba-b27f-af1a-b0080fb0030d@trigofacile.com>

Hi all,

While testing the forthcoming release of the 2.2 branch of Cyrus SASL, I 
noticed the DIGEST-MD5 mechanism is no longer advertised.

Yet, RFC 4643 (AUTHINFO) states in Section 2.4.2:

    To ensure interoperability, client and server implementations of this
    extension MUST implement the [DIGEST-MD5] SASL mechanism.


It appears that DIGEST-MD5 was marked as obsolete more than a decade 
ago, in 2011, by RFC 6331 (Moving DIGEST-MD5 to Historic) because of 
several flaws.  This RFC recommends the use of SCRAM:

    The Salted Challenge Response Authentication Mechanism (SCRAM) family
    of SASL mechanisms [RFC5802] has been developed to provide similar
    features as DIGEST-MD5 but with a better design.



I plan on opening an RFC erratum intended to be held for a possible 
future document update, so as to recommend another SASL mechanism for 
interoperability.
(As SASL is currently not much used by news readers, publishing an RFC 
updating RFC 4643 is very certainly not worth the trouble; just opening 
an RFC erratum for reference will do the job.)

Would SCRAM-SHA-256 be OK for you?  Or would SCRAM-SHA-512 be better? 
(it may last some more years)

-- 
Julien ?LIE

??Omnia uincit Amor et nos cedamus Amori.?? (Virgile)