Kurt Zeilenga writes:
On Jul 15, 2007, at 6:59 AM, Hallvard B Furuseth wrote:
Pierangelo Masarati writes:
AFAIK, the attribute and so is recognized, but it's not implemented (nor won't, as it is no longer needed).
If it's no longer needed - what has changed?
The technical needs haven't changed. Folks now seem to be finally getting that they have a choice between: a) stronger (than PLAIN) authentication mechanisms (e.g., DIGEST-MD5, SCRAM, YAP, SRP, etc.) (and a single clear text password) or b) PLAIN.
I don't quite see the connection. Those are protocol matters, while {MD5} & co are about how the secret is stored on the server side. There are good reasons to use both variants, including security reasons. Simple Auth and PLAIN do not require data to be stored on the server side which is enough to authenticate to the server, short of a brute force search. Which admittedly is a *lot* cheaper now than a few years ago. DIGEST-MD5 and YAP (I think) do. I think SRP and SCRAM do not, but SCRAM is unfinished and the SRP SASL draft seems to have expired.