[NNTP] Defining a new interoperable SASL mechanism for AUTHINFO
Julien ÉLIE
julien at trigofacile.com
Mon Jul 31 12:06:01 PDT 2023
Hi all,
While testing the forthcoming release of the 2.2 branch of Cyrus SASL, I
noticed the DIGEST-MD5 mechanism is no longer advertised.
Yet, RFC 4643 (AUTHINFO) states in Section 2.4.2:
To ensure interoperability, client and server implementations of this
extension MUST implement the [DIGEST-MD5] SASL mechanism.
It appears that DIGEST-MD5 was marked as obsolete more than a decade
ago, in 2011, by RFC 6331 (Moving DIGEST-MD5 to Historic) because of
several flaws. This RFC recommends the use of SCRAM:
The Salted Challenge Response Authentication Mechanism (SCRAM) family
of SASL mechanisms [RFC5802] has been developed to provide similar
features as DIGEST-MD5 but with a better design.
I plan on opening an RFC erratum intended to be held for a possible
future document update, so as to recommend another SASL mechanism for
interoperability.
(As SASL is currently not much used by news readers, publishing an RFC
updating RFC 4643 is very certainly not worth the trouble; just opening
an RFC erratum for reference will do the job.)
Would SCRAM-SHA-256 be OK for you? Or would SCRAM-SHA-512 be better?
(it may last some more years)
--
Julien ÉLIE
« Omnia uincit Amor et nos cedamus Amori. » (Virgile)
More information about the ietf-nntp
mailing list