[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG Last Call: draft-ietf-sasl-scram-02
-----BEGIN PGP SIGNED MESSAGE-----
On 7/29/09 1:58 PM, Peter Saint-Andre wrote:
> SECTION 4
> Typo: "hashed function" => "hash function"
> I think the following text is slightly ambiguous:
> The "-PLUS" suffix is used only when the server supports channel
> binding to the external channel. In this case the server will
> advertise both, SCRAM-SHA-1 and SCRAM-SHA-1-PLUS, otherwise the
> server will advertise only SCRAM-SHA-1. The "-PLUS" exists to allow
> negotiation of the use of channel binding. See Section 6.
> This could be read to mean that if a server does not support channel
> bindings, then it will advertise only all and only SCRAM-SHA-1 (but
> never, say, SCRAM-SHA-256). I think we mean that if a server does not
> support channel bindings, then it will advertise only mechanisms of the
> form SCRAM-SHA-length and never mechanisms of the form
> SCRAM-SHA-length-PLUS (thus not forbidding support for hash functions
> other than SHA-1).
Alexey and I talked about this in Stockholm. I suggest the following text:
The "-PLUS" suffix is used only when the server supports channel
binding to the external channel. If the server supports channel
binding, it will advertise both the "bare" and "plus" versions of
whatever mechanisms it supports (e.g., if the server supports only
SCRAM with SHA-1 then it will advertise support for both SCRAM-SHA-1
and SCRAM-SHA-1-PLUS); if the server does not support channel
binding, then it will advertise only the "bare" version of the
mechanism (e.g., only SCRAM-SHA-1). The "-PLUS" exists to allow
negotiation of the use of channel binding. See Section 6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----