Open Neustradamus opened 1 year ago
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
Tagging subscribers to this area: @dotnet/ncl, @vcsjones See info in area-owners.md if you want to be subscribed.
Author: | Neustradamus |
---|---|
Assignees: | - |
Labels: | `area-System.Net.Security`, `untriaged` |
Milestone: | - |
@wfurt, @aik-jahoda, @filipnavara, @hughbe: What do you think?
I have added some info in the main ticket.
not in 7.0. We may look into it in 8.0. On Windows this comes from schannel. We will need to check what is supported there.
Dear @dotnet team,
Have you progressed on it?
no, but we may during 9.0. On Windows, this could just work as we depends on schannel implementation. It will need some more research and testing. What is your intended use case @Neustradamus ?
Dear all @dotnet team,
Any news of this security missing problem?
Thanks in advance.
Where I can send an email to security Microsoft team?
@wfurt
Hi, I'm the author of MailKit and @Neustradamus has asked me to comment here, although I don't think my comment will go the way he expects.
It appears that @Neustradamus goes around to every single project on GitHub that supports any mode of SASL authentication and requests that they implement support for all of the (numerous) SCRAM-SHA-* authentication mechanisms combined with the channel binding support that the -PLUS
variants require.
When he asked me to implement tls-export
channel binding support for the SCRAM mechanisms, I told him that I couldn't because .NET's SslStream didn't support it which is how this issue got opened.
Foolishly, I wasted a ton of time implementing all of the SCRAM mechanisms and channel binding support for tls-unique
and tls-server-end-point
several years ago under the assumption that he had filed these feature requests for MailKit because he needed them (as opposed to him using MailKit and dozens of other hapless projects as evidence that there is wide support for it).
Now I see that not a single human being is asking for SCRAM on any of these products other than @Neustradamus himself, which leads me to conclude that there is absolutely no organic demand for it anywhere.
I'm sure @Neustradamus has all of the best intentions, but I wish that he realized how much wasted effort he is causing for developers across a wide variety of projects that might be better off focusing their effort on other things that matter more.
In conclusion, this is all about checking a checkbox and nothing more as far as I can tell.
My recommendation would be to wait and see if there is any actual organic demand for it. That's my plan from here on out.
Edit:
This was an interesting read on the topic of SCRAM: https://blog.josefsson.org/2021/06/08/whats-wrong-with-scram/
@jstedfast: SCRAM-SHA-1, SCRAM-SHA-1-PLUS, SCRAM-SHA-256, SCRAM-SHA-256-PLUS have been added in GNU SASL by @jas4711, the author of your latest link.
You can see a lot of information about SCRAM and Channel Binding and a list of supported projects:
Old and unsecure mechanisms like CRAM-MD5 and DIGEST-MD5 have been removed from Cyrus SASL and Cyrus IMAP in master code.
You can see that Cyrus SASL/IMAP, Dovecot, Exim support SCRAM-SHA-*-PLUS and several other softwares, look the uncomplete list.
thanks for the feedback @jstedfast. I'll ping Windows TLS team to see what is their take on it.
@wfurt: Thanks for your ping to Windows TLS team!
I hope a security solution soon.
It is linked to Microsoft Channel Binding:
It is needed to have a compatibility with:
Description
Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
Little details, to know easily:
Thanks in advance.
Linked to:
Reproduction Steps
Please read the RFC9266.
Expected behavior
Please read the RFC9266.
Actual behavior
Please read the RFC9266.
Regression?
No response
Known Workarounds
No response
Configuration
No response
Other information
No response