| From: | Abhijit Menon-Sen <ams(at)2ndQuadrant(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: MD5 authentication needs help -SCRAM |
| Date: | 2015-03-09 14:43:59 |
| Message-ID: | 20150309144359.GA13524@toroid.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
At 2015-03-09 13:52:10 +0200, hlinnaka(at)iki(dot)fi wrote:
>
> Do you have any insight on why the IETF working group didn't choose a
> PAKE protocol instead of or in addition to SCRAM, when SCRAM was
> standardized?
Hi Heikki.
It was a long time ago, but I recall that SRP was patent-encumbered:
https://datatracker.ietf.org/ipr/search/?rfc=2945&submit=rfc
The Wikipedia page says the relevant patents expired in 2011 and 2013.
I haven't followed SRP development since then, maybe it's been revised.
When SCRAM was being discussed, I can't recall any other proposals for
PAKE protocols. Besides, as you may already know, anyone can submit an
internet-draft about anything. It needs to gain general support for an
extended period in order to advance through the standards process.
Could you please explain what exactly you mean about a SCRAM
eavesdropper gaining some advantage in being able to mount a
dictionary attack? I didn't follow that part.
-- Abhijit
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2015-03-09 14:55:57 | Re: One question about security label command |
| Previous Message | Amit Kapila | 2015-03-09 14:38:59 | Re: Parallel Seq Scan |