Open Neustradamus opened 2 years ago
Happy New Year to you as well!
Thanks for bringing this up. However, I can't make much sense of this largely uncommented collection of references.
I get that you propose adding a number of SCRAM-SHA
algorithms to Crystal's standard library. I can find no comprehensible reason for that. Please detail why you think those should be added to the standard library (as opposed to being provided in a shard such https://github.com/naqvis/cr-xmpp).
@straight-shoota: Thanks for your reply and your wishes.
It is to replace old and unsecure DIGEST-MD5 included in this lib by SCRAM-SHA- and SCRAM-SHA--PLUS.
I inform you that there are already 3 versions in cr-xmpp to help.
Of course you need to read, SCRAM informations are in this ticket and a list of libs/softs already compatible here:
It is important to security because DIGEST-MD5 is obsolete and unsecure.
AFAIR Crystal's standard library does not implement CRAM-MD5 anywhere. The Digest
namespace refers to hash digests in the general sense and is collecting different hash digest algorithms. What these then are then are applied for is outside the scope of the Crystal standard library. Removing any and all possibility to compute an MD5 hash digest does not seem reasonable. Likewise AFAIR there's no precedent for providing specific challenge response authentication mechanisms, so we need to have some actual good motivations brought forward to consider this.
Good comment from @konovod: https://github.com/crystal-lang/crystal/issues/11731#issuecomment-1008302600.
But here, the goal is to have SCRAM supports.
It is not possible to add?
It can be added if there's a good reason to have this in stdlib. I don't see such good reason. It's probably better placed in a shard.
Dear @crystal-lang team,
In first, I wish you a Happy New Year!
Note: @naqvis has already worked on a part here: https://github.com/naqvis/cr-xmpp I think that he can added directly here:
SCRAM-SHA-512
Can you add in https://github.com/crystal-lang/crystal supports of:
You can add too:
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
SCRAM-SHA-1(-PLUS): -- https://tools.ietf.org/html/rfc5802 -- https://tools.ietf.org/html/rfc6120
SCRAM-SHA-256(-PLUS): -- https://tools.ietf.org/html/rfc7677 since 2015-11-02 -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
SCRAM-SHA-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
SCRAM-SHA3-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
https://xmpp.org/extensions/inbox/hash-recommendations.html
-PLUS variants:
IMAP:
LDAP:
HTTP:
2FA:
IANA:
Linked to: