On Mon May 10 19:20:00 2010, Mason, Matt wrote:
Greetings -
I have reading the draft SCRAM
<http://tools.ietf.org/html/draft-newman-auth-scram-13#page-7>
which
apparently has expired.
As Tobias says, it got adopted as an IETF WG draft, and got a
name-change.
Is there a sample implementation of the SCRAM
algorithm somewhere?
I don't know about a sample, but there are various implementations,
open-source and not.
But really, you shouldn't be implementing it, you should be getting
an existing SASL library that fits your needs.
Is the XMPP community still thinking that SCRAM
provides the best protection for authentication?
No, I don't think we've ever thought that.
What we have thought is that it provides a simple-to-implement
mechanism which is password-based, appears to be entirely
unencumbered by patents etc, and provides reasonable security.
If you *really* want the best security possible, then smartcards and
X.509-based ECDSA cryptography seems to be the current thing. This,
too, is possible with XMPP is standards-based ways.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
