(This work in this commit was done about 18 months ago, as part of #78. In fact, the work done in this PR was used to guide the style of all of the new authenticators. I wasn't sure whether it was worth submitting as a PR, but for the sake of completeness: here it is.)
Yes, DIGEST-MD5 is deprecated! But that also means that it was lower risk for experimenting with other SASL changes. Its complexity vs most other mechanisms made it a good test-bed for the completeness of net-imap's SASL implementation. For example:
It demonstrated that we were missing features such as done?.
Added in #179.
It demonstrates the utility of using callbacks for attributes such as realm (the user might select from a server-provided list).
Please note: the initial work I did to support attribute callbacks was reverted, to simplify the SASL re-write. It could still be a useful feature for this and other mechanisms.
It shows that service should not be hard-coded to imap, and should be provided by the client (or the protocol adapter).
_Please note: Although the current (experimental) client adapters do have a #service method, it is not used by the (experimental) AuthenticationExchange yet._
It requires other attributes that should be provided by the client such as host, port (also used by OAUTHBEARER).
I improved the existing authenticator in several ways:
β¨ Add realm, host, service_name, service attributes. This allows non-IMAP clients to construct the correct digest-uri.
π Use SecureRandom for cnonce (not Time.now + insecure PRNG!)
β¨ Default qop=auth (as in RFC)
β¨ Enforce requirements for sparam keys (required and no-multiples).
β»οΈ Refactor toward the style used in the new ScramAuthenticator.
However... it's still deprecated, so don't use it! π
(This work in this commit was done about 18 months ago, as part of #78. In fact, the work done in this PR was used to guide the style of all of the new authenticators. I wasn't sure whether it was worth submitting as a PR, but for the sake of completeness: here it is.)
Yes, DIGEST-MD5 is deprecated! But that also means that it was lower risk for experimenting with other SASL changes. Its complexity vs most other mechanisms made it a good test-bed for the completeness of net-imap's SASL implementation. For example:
done?
. Added in #179.realm
(the user might select from a server-provided list). Please note: the initial work I did to support attribute callbacks was reverted, to simplify the SASL re-write. It could still be a useful feature for this and other mechanisms.service
should not be hard-coded toimap
, and should be provided by the client (or the protocol adapter). _Please note: Although the current (experimental) client adapters do have a#service
method, it is not used by the (experimental) AuthenticationExchange yet._host
,port
(also used byOAUTHBEARER
).I improved the existing authenticator in several ways:
realm
,host
,service_name
,service
attributes. This allows non-IMAP clients to construct the correctdigest-uri
.qop=auth
(as in RFC)sparam
keys (required and no-multiples).However... it's still deprecated, so don't use it! π