[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CRAM-SHA1 support
From: |
Simon Josefsson |
Subject: |
Re: CRAM-SHA1 support |
Date: |
Fri, 28 Aug 2009 11:25:01 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Simon Josefsson <address@hidden> writes:
> Lothar May <address@hidden> writes:
>
>> Hi,
>>
>> I found an old git entry in gsasl:
>>
>> "* Version 0.2.4 (released 2005-01-01)
>> ** The CRAM-MD5 mechanism is now preferred over DIGEST-MD5.
>> This decision was based on recent public research that suggest MD5 is
>> broken, while HMAC-MD5 not immediately compromised, and the lack of
>> public analysis on what consequences the MD5 break have for
>> DIGEST-MD5. Support for CRAM-SHA1 is under investigation, to enable
>> users to avoid MD5 completely."
>>
>> Any news on this? I would like to use CRAM-SHA1 - DIGEST-MD5 is tagged
>> as "historic", and CRAM-MD5 "potentially" broken.
>
> The SASL WG has just completed a last call on SCRAM-SHA1 which is the
> (long-awaited) replacement of both CRAM-MD5 and DIGEST-MD5. I need to
> find time to implement it in GNU SASL. If anyone wants to help with the
> implementation, that would be excellent.
>
> I'm aware that there are some libraries that support CRAM-SHA1, but it
> is not standardized. It would be easier to implement than CRAM-MD5.
Sorry I meant SCRAM-SHA1 here -------------------------------^^^^^^^^
/Simon
> However, because it is not standardized, and has some poor security
> properties as well (SCRAM solves them, that's why it took so long to
> complete) I'm not sure it is a good idea to support it. Thoughts?
>
> /Simon