On Fri, Feb 8, 2019, at 06:24, Marcel Waldvogel wrote: > Would it be possible to grant an exemption to the -PLUS requirement for > browser-based clients? I.e., have a footnote behind "RFC 6120" > consisting of "The mandatory-to-implement requirement of > SCRAM-SHA-1-PLUS is waved for clients operating in environments where > access to TLS information is not possible, i.e. browsers"?
If you can't implement it, you can't implement it. I don't think there's much point in being "compliant for compliance's sake". The point of being compliant with this particular bit of the spec is interoperability, but not being compliant likely won't hurt that. Put another way: specs don't overrule reality. Your exemption is already granted because your TLS stack doesn't support the things needed for -PLUS. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
