[Top] [All Lists]

Re: [sieve] ManageSieve / SCRAM

2010-08-06 12:42:15
--On Friday, August 06, 2010 09:18:18 AM -0700 NED+mta-filters(_at_)mauve(_dot_)mrochek(_dot_)com wrote:

RFC 5804 says:

> To ensure interoperability, both client and server implementations of
>    the ManageSieve protocol MUST implement the SCRAM-SHA-1 [SCRAM] SASL
>    mechanism, as well as [PLAIN] over [TLS].

How can this be a requirement, when SCRAM requires passwords to be
stored either as plaintext or in a special SCRAM format? Very few
existing installations would be able to easily start supporting SCRAM.

(Or is this just a tricky way of saying that server code must be able to
support it, but admins can choose if it's actually enabled?)

I don't think it's especially tricky. The text clearly says "implement"
and implement != use.

It's not tricky at all. The goal, as always, is to insure that you can pick arbitrary combinations of clients and servers off the shelf and be assured of being able to deploy them in a way that is both secure and interoperable. This is particularly important when the operator of a server doesn't have control over the clients, which is most of the time.
sieve mailing list

<Prev in Thread] Current Thread [Next in Thread>