Remove support for unspecified SCRAM variants #6
Comments
horazont
added a commit
that referenced
this issue
Nov 8, 2018
The following SCRAM variants were previously supported by aiosasl, but not specified in any IETF document: * SCRAM-SHA-224(-PLUS) * SCRAM-SHA-384(-PLUS) * SCRAM-SHA-512(-PLUS) The only SCRAM-SHA-* specifications are: * RFC 7677 <https://tools.ietf.org/html/rfc7677> (SCRAM-SHA-256) and * RFC 5802 <https://tools.ietf.org/html/rfc5802> (SCRAM-SHA-1). Of those, RFC 7677 (which defines the registry) explicitly states: > Note: Members of this family MUST be explicitly registered using > the "IETF Review" [RFC5226] registration procedure. Reviews MUST > be requested on the KITTEN mailing list kitten@ietf.org (or a > successor designated by the responsible Security Area Director). > > […] > > Note to future SASL SCRAM mechanism designers: each new SASL > SCRAM mechanism MUST be explicitly registered with IANA and MUST > comply with the SCRAM-mechanism naming convention defined in > Section 4 of [RFC5802]. So while the unspecified mechanisms outlined above adhere to the naming convention, they’re not registered with the IANA (see <https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml>) at this point in time. This is thus a violation of the specification/unauthorized extension of the registered set of algorithms for no good reason. We should drop them to stay within the specification. In addition, an argument can be made that it’s not our place to invent new SCRAM variants without review. Fixes #6.
horazont
added a commit
that referenced
this issue
Nov 8, 2018
The following SCRAM variants were previously supported by aiosasl, but not specified in any IETF document: * SCRAM-SHA-224(-PLUS) * SCRAM-SHA-384(-PLUS) * SCRAM-SHA-512(-PLUS) The only SCRAM-SHA-* specifications are: * RFC 7677 <https://tools.ietf.org/html/rfc7677> (SCRAM-SHA-256) and * RFC 5802 <https://tools.ietf.org/html/rfc5802> (SCRAM-SHA-1). Of those, RFC 7677 (which defines the registry) explicitly states: > Note: Members of this family MUST be explicitly registered using > the "IETF Review" [RFC5226] registration procedure. Reviews MUST > be requested on the KITTEN mailing list kitten@ietf.org (or a > successor designated by the responsible Security Area Director). > > […] > > Note to future SASL SCRAM mechanism designers: each new SASL > SCRAM mechanism MUST be explicitly registered with IANA and MUST > comply with the SCRAM-mechanism naming convention defined in > Section 4 of [RFC5802]. So while the unspecified mechanisms outlined above adhere to the naming convention, they’re not registered with the IANA (see <https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml>) at this point in time. This is thus a violation of the specification/unauthorized extension of the registered set of algorithms for no good reason. We should drop them to stay within the specification. In addition, an argument can be made that it’s not our place to invent new SCRAM variants without review. Fixes #6.
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following SCRAM variants are supported by aiosasl, but not specified in any IETF document:
The only SCRAM-SHA-* specifications are: RFC7677 (-256) and RFC5802 (-1). Of those, RFC 7677 explicitly states:
So while the mechanisms outlined above adhere to the naming convention, they’re not registered with the IANA at this point in time.
This is thus a violation of the specification/unauthorized extension of the registered set of algorithms for no good reason. We should drop them to stay within the specification.
In addition, an argument can be made that it’s not our place to invent new SCRAM variants without review.
The text was updated successfully, but these errors were encountered: