[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCRAM methods
|
From: |
Jeremy Harris |
|
Subject: |
Re: SCRAM methods |
|
Date: |
Wed, 15 Jan 2020 14:06:12 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 |
On 15/01/2020 09:27, Simon Josefsson wrote:
>> On 14/01/2020 22:19, Simon Josefsson wrote:
>>> Please try version 1.9.1 and tell me if it does what you
>>> want! There are new properties for ServerKey/StoredKey now.
>>
>> Yes, that works nicely for the server side.
>> Client side in the next patch release?
>
> Currently I prefer to not implement ClientKey support -- there isn't
> any security advantage with it as far as I can see. Stealing
> SaltedPassword or ClientKey/StoredKey both make client and server
> impersonation possible.
>
> I believe clients should store cleartext-password or the
> SaltedPassword. Storing PBKDF2 values in clients is not that uncommon,
> so there may be infrastructure in place for it in some environments --
> whereas ClientKey/StoredKey are entirely SCRAM-specific.
I'm fine with that; I fully understand the minimum-changes
argument. I've updated the Exim implementation to match
(and pushed to the repo I pointed you to, if you're using that).
It'll go into the next release. Thanks for your work on this.
--
Cheers,
Jeremy
- Re: SCRAM methods, (continued)
- Re: SCRAM methods, Jeremy Harris, 2020/01/05
- Re: SCRAM methods, Simon Josefsson, 2020/01/06
- Re: SCRAM methods, Jeremy Harris, 2020/01/06
- Re: SCRAM methods, Simon Josefsson, 2020/01/14
- Re: SCRAM methods, Jeremy Harris, 2020/01/14
- Re: SCRAM methods, Jeremy Harris, 2020/01/06
RE: SCRAM methods, - Neustradamus -, 2020/01/03
RE: SCRAM methods, - Neustradamus -, 2020/01/03
Re: SCRAM methods, Simon Josefsson, 2020/01/15
- Re: SCRAM methods,
Jeremy Harris <=