Optional domain/realm for SCRAM? (Re: Crypto agility in SCRAM + draft-josefsson-password-auth?)

[Nicolas Williams <Nicolas.Williams@xxxxxxx>]

Also, one thing I've been wanting is a notion of optional domain or
realm for SCRAM.

The motivation is to allow per-{user, domain/realm} enrolment and the
domain to then distribute verifiers to various servers, where each
verifier is distinct from the others and cannot be reversed to recover
the domain/realm verifier/generator nor any of the other servers'
verifiers.

If the client knows the domain/realm, then it works that into the key
derivation hierarchy and asserts the domain/realm in its first and
second messages to the server.

Else the server asserts a domain/realm in its first message to the
client and the client decides whether that's OK (keep reading), derives
keys, and goes on.  The way the client decides whether a server-asserted
domain/realm is OK is as follows: if the domain/realm == server name
then it's OK, else it will need to use local policy to decide whether to
go on, prompt the user, or fail (with a reasonable default).

Nico
--