On Fri, 25 Jan 2019 at 12:08, Evgeny wrote:
> On Fri, Jan 25, 2019 at 1:45 PM, Dave Cridland
> wrote:
> > I'm hearing "no", here - which is fine - but I do have a design for
> > enforced password changes and password resets, too. The former is
> > built around SASL2 (XEP-0388) and was actually o
On Fri, Jan 25, 2019, at 12:08, Evgeny wrote:
> We already have "avalanche problem" caused by server restarts, and
> SASL PLAIN + SCRAM'ed passwords only worsen it. Also, if an attacker
> harvests enough JIDs it may successfully perform DDoS against the
> server forcing it to compute HMACs at a hig
On Fri, Jan 25, 2019 at 1:45 PM, Dave Cridland
wrote:
I'm hearing "no", here - which is fine - but I do have a design for
enforced password changes and password resets, too. The former is
built around SASL2 (XEP-0388) and was actually one of the original
design goals. Password resets we built
On Thu, 24 Jan 2019 at 20:03, Evgeny wrote:
> On Thu, Jan 24, 2019 at 9:15 PM, Dave Cridland
> wrote:
> > XMPP-Grid (that draft) essentially says both servers and clients MUST
> > implement EXTERNAL, SCRAM-SHA1, SCRAM-SHA1-PLUS, SCRAM-SHA-256, and
> > SCRAM-SHA-256-PLUS.
> >
> > Is there any int
On Fri, Jan 25, 2019 at 12:39 AM, Jonas Schäfer
wrote:
My understanding is that Dave talks about Mandatory To Implement,
which is
something different than Mandatory To Deploy / Mandatory To Offer (at
least
that’s what I get from reading the relevant section in RFC 6120).
I think this is fals