XSF Discussion - 2020-05-11


  1. Maranda

    Metronome if the internal hashed auth backend is used just stores sha-1/256/384/512 server keys hash variants in the account credentials datastore whenever a password is generated

  2. Maranda

    So it's more if you see DIGEST-MD5 offered to be a symptom that passwords are stored in plain

  3. dwd

    Just reading back, I'm not actually sure of the reason I made SASL2 use a distinct stream feature. But as I've previously said, anything that makes SASL2 have a namespace bump to urn:xmpp:sasl:2 is fine by me. :-)

  4. dwd

    Also: https://tools.ietf.org/html/rfc5802#section-6.1 does indeed say that servers MUST tls-unique, and that clients SHOULD. But all normative requirements can be altered by negotiation, meaning that clients implicitly MAY use anything that the server explicitly says it can support.

  5. Neustradamus_

    Thanks people to look SCRAM-SHA-256 and TLS Binding for -PLUS SCRAM variants.

  6. dwd

    larma, Final note - we're stuck with -PLUS because that comes from the SASL layer (or quite possibly the GS2 layer).

  7. dwd

    Maranda, DIGEST-MD% doesn't need to store a plaintext password, though it does essentially mandate a plaintext equivalent. CRAM-MD5 has to store plaintext passwords, though, unless you do really shady things with partially computed HMACs.

  8. Neustradamus_

    If you search more informations: Do not lost this link: https://github.com/scram-xmpp/info/issues/1

  9. larma

    dwd: I don't read the SCRAM RFC as if there was no way to work without -PLUS.

  10. Neustradamus_

    Do not forget the RFC 8600: https://tools.ietf.org/html/rfc8600 which it was published 2019-06-21 (soon one year): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

  11. Neustradamus_

    Do not forget the RFC 8600: https://tools.ietf.org/html/rfc8600 which has been published 2019-06-21 (soon one year): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

  12. Guus

    Is there someone in here with administrative powers on tigase.org ?

  13. Neustradamus_

    Guus: tigase@muc.tigase.org

  14. Guus

    Given that I want to discuss connectivity issues, that's not ideal. 🙂

  15. Neustradamus_

    I have informed you some days ago ;)

  16. Neustradamus_

    I have invited people here

  17. Guus

    Thanks

  18. larma

    Neustradamus_: RFC 8600 is not relevant for most XMPP software (especially anything chat related). It merely "defines how to use XMPP for the exchange of security notifications on a controlled-access network among authorized entities"

  19. Neustradamus_

    Maybe but SCRAM part is important.

  20. Neustradamus_

    And it is logic.

  21. dwd

    But it's largely a profile of XMPP for a specific purpose - specifically, it doesn't update RFC 6120.

  22. Neustradamus_

    Guus: Andrzej from Tigase here

  23. dwd

    And if it had tried to, I would have shot that one down.

  24. larma

    It also says servers MUST support at least SCRAM or EXTERNAL. Which obviously should not apply to all XMPP usecases.

  25. Neustradamus_

    larma: XMPP server softwares do it: - Prosody IM: https://modules.prosody.im/mod_auth_external.html - Metronome IM: https://github.com/maranda/metronome/blob/master/plugins/mod_auth_external.lua - ejabberd: https://github.com/processone/ejabberd/blob/master/src/ejabberd_auth_external.erl - Mongoose IM: https://github.com/esl/MongooseIM/tree/master/src/auth

  26. larma

    Neustradamus_: that doesn't make RFC8600 relevant in this context

  27. larma

    Nobody is saying implementing SCRAM-SHA-256/-512 is a bad idea. But that doesn't mean it necessarily has the priority you are suggesting everywhere.

  28. larma

    I bet that if you do a pull request to any software that doesn't implement it yet, it would be accepted. But you can't blame developers for not giving it the priority you'd like.

  29. Neustradamus_

    larma: the point is have the good order from best to worst SCRAM and RFC 8600 (stpeter is an author): "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

  30. Neustradamus_

    It is not SCRAM-SHA-256 = SCRAM-SHA-1 or SCRAM-SHA-1 is preferred to SCRAM-SHA-256...

  31. Neustradamus_

    We can understand: SCRAM-SHA-256-PLUS > SCRAM-SHA-256 > SCRAM-SHA-1-PLUS > SCRAM-SHA-1

  32. Neustradamus_

    It is like DIGEST-MD5 > CRAM-MD5

  33. Neustradamus_

    Of course if the XMPP server supports, we can see in XMPP clients: - if only SCRAM-SHA-1 it is easy - if only SCRAM-SHA-256 it is easy - if SCRAM-SHA-1-PLUS and SCRAM-SHA-1 // SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if SCRAM-SHA-256 and SCRAM-SHA-1 // SCRAM-SHA-256 > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1 // SCRAM-SHA-256-PLUS > SCRAM-SHA-256 > SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-1-PLUS // SCRAM-SHA-256-PLUS > SCRAM-SHA-1-PLUS

  34. Neustradamus_

    Of course if the XMPP server supports, we can see in XMPP clients: - if only SCRAM-SHA-1 it is easy - if SCRAM-SHA-1-PLUS and SCRAM-SHA-1 // SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if only SCRAM-SHA-256 it is easy - if SCRAM-SHA-256-PLUS and SCRAM-SHA-256 // SCRAM-SHA-256-PLUS > SCRAM-SHA-256 - if SCRAM-SHA-256 and SCRAM-SHA-1 // SCRAM-SHA-256 > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1 // SCRAM-SHA-256-PLUS > SCRAM-SHA-256 > SCRAM-SHA-1-PLUS > SCRAM-SHA-1 - if SCRAM-SHA-256-PLUS, SCRAM-SHA-1-PLUS // SCRAM-SHA-256-PLUS > SCRAM-SHA-1-PLUS

  35. Maranda

    dwd: I didn't say it does, I said that "in Metronome it does"

  36. dwd

    Maranda, Ah, gotcha.

  37. Maranda

    The only auth backend that does provide DIGEST-MD5 is the internal plain one

  38. larma

    Neustradamus_, I think it's clear to everyone that IF both server and client support both SHA-1 and SHA-256, SHA-256 should be preferred. And that IF both server and client support -PLUS, -PLUS should be preferred. You apparently left out the small sidecase where SCRAM-SHA-1-PLUS and SCRAM-SHA-256 are supported, because it's not obvious what is to be preferred then (IMO it's -PLUS).

  39. jonas’

    (agreed on -PLUS over SHA2)

  40. larma

    However the default today is a) servers typically don't offer SHA-256 because the password is hashed with SHA-1 in database, making it impossible to offer SHA-256. There is no proper upgrade path from SHA-1 to SHA-256. b) clients don't offer SHA-256 because servers typically don't and it's not worth the effort to implement it for the very few cases where servers do. Because basically in all cases one can just fallback to PLAIN anyway without significant loss in security (if users follow best practices for passwords)

  41. jonas’

    in my arrogant developer opinion, if implementing SHA-256 is hard after you have the SHA-1 variant implemented, you are in dire need of refactoring.

  42. larma

    jonas’, that is indeed true 😉

  43. larma

    but it needs to be tested, which is already hard enough given there are so few servers in practice supporting it 😉

  44. jonas’

    I’m a believer in test-driven development, and if my SHA-1 implementation passes the test vectors, I’m confident enough that the SHA-256 variant will work flawlessly.

  45. larma

    IMO there is also a design fail in how we login that I have to present the mechanisms *before* knowing the login name.

  46. larma

    Was that tackled by sasl2?

  47. jonas’

    larma, presenting the mechanisms afterwards would be a security problem

  48. jonas’

    you could test user existence then

  49. larma

    as if that wasn't possible already through various ways...

  50. larma

    also servers could answer with fake mechanisms if user doesn't exist...

  51. jonas’

    larma, the fake mechanisms would still look different than some user’s real mechanisms

  52. jonas’

    and AFAIK user enumeration is a problem we generally avoid *by default* if possible.

  53. larma

    server could send the mechanisms that are send to the largest amount of users on the server. Than it's still possible to detect some users, but not all.

  54. jonas’

    yeah, and expensive to figure that out.

  55. larma

    However the advantage is huge as that would allow an upgrade path for the hash algorithm

  56. jonas’

    could do that with SASL2 already, though it requires offering *only* the old mechanism until all accounts have been upgraded.

  57. larma

    even in that case you have to store both password hashes for the time until all accounts upgraded. If it was per user, you could just do it per user. You could even decide server-side based on the clients that connected previously if you want to upgrade a user or not.

  58. jonas’

    yes, but that’s not feasible unless you want to allow user enumeration.

  59. jonas’

    yes, but that’s not feasible unless you want to allow user probing.

  60. jonas’

    which RFC 6120 and RFC 6121 go a long way to avoid.

  61. jonas’

    nevermind that vcard-temp and possibly other things allow it if the user explicitly published some data

  62. larma

    IMO, user enumeration is when I can get a list of users, not when I can try out every possible JID.

  63. jonas’

    but the default is that you can’t enumerate accounts.

  64. jonas’

    larma, that’s why I /correct’d my message.

  65. larma

    right.

  66. jonas’

    s/enumerate/probe/

  67. larma

    well there are a ton of XEPs where you can probe users

  68. jonas’

    but only after the users did sometihng to allow that

  69. larma

    not even sure if it's not possible by RFC, but certainly by CS2020

  70. larma

    PEP for example makes users probe-able

  71. jonas’

    I’m aware of that

  72. jonas’

    but it shouldn’t be the default.

  73. jonas’

    (and it isn’t)

  74. larma

    that you have PEP?

  75. jonas’

    that you have a PEP node which is world-readable

  76. larma

    you don't need that

  77. jonas’

    you don’t?

  78. larma

    even if it's not readable, you get different errors

  79. jonas’

    that’s a bug then

  80. jonas’

    either in the standard or in the implementations

  81. larma

    also pubsub nodes MUST be disco-able

  82. jonas’

    I’m fairly certain that you can always return <forbidden/> if you don’t want to let someone read nodes

  83. larma

    jonas’, you could but it wouldn't be XEP-compliant. Also that doesn't solve the pubsub must be disco-able. If it wasn't you couldn't have world-readable PEP nodes.

  84. jonas’

    larma, then the XEP needs to be fixed

  85. jonas’

    but I’m sitll fairly certain that you can do that without having to fix the XEP

  86. jonas’

    ah, maybe only returning the items you can actually see would suffice already

  87. jonas’

    my point is: those are issues which can and need to be fixed

  88. jonas’

    that they exist is no reason to open more issues.

  89. larma

    but if a user doesn't exist it also doesn't have a pep service on it's jid

  90. jonas’

    larma, servers could easily pretend that

  91. jonas’

    larma, servers could easily pretend that there is an empty pep service.

  92. larma

    I think it's just plain ignorant to claim that users are not probe-able and thus we should design protocols such that this remains true.

  93. jonas’

    that’s a valid opinion. I disagree.

  94. larma

    Do you think it's likely we'll ever reach the state where user probing is not possible?

  95. jonas’

    yes

  96. larma

    ok, so how would you like to do the upgrade then?

  97. jonas’

    as I wrote above

  98. jonas’

    you’ll have to wait for all accounts to be upgraded

  99. jonas’

    typically that’s done with a deadline after which users have to use a password reset facility to regain access

  100. jonas’

    or their account is deleted

  101. Neustradamus_

    It is possible to have SCRAM-SHA-256(-PLUS) and SCRAM-SHA-1(-PLUS) enabled on an XMPP server but some users with only SCRAM-SHA-1 passwords (if originally not in PLAIN). If the user change of password, SCRAM-SHA-1 and SCRAM-SHA-256 will be here.

  102. Holger

    Users love changing passwords for random reasons.

  103. larma

    Neustradamus_, upgrade only makes sense when we don't support SHA-1 afterwards (or at least that's when it really makes a difference)

  104. Neustradamus_

    Currently: Jackal XMPP server, Metronome IM, Mongoose IM master (soon a release), Prosody 0.12-dev, Tigase are already good.

  105. Holger

    We should just switch *TODAY*.

  106. Zash

    Flag day?

  107. Holger

    (kk I'll get coffee and quite trolling.)

  108. Holger

    quit

  109. Daniel

    This will instantly make xmpp 256 times more secure

  110. larma

    Neustradamus_, they all store passwords in both sha1 and sha256? doubt that... They probably support sha1 and sha256 when password is stored in plaintext

  111. Zash

    I'll get right to work hacking into every existing deployment and invalidating all credentials!

  112. jonas’

    Zash, easy!

  113. jonas’

    just publish mod_av which claims to enable A/V support immediately

  114. Zash

    larma, correct in the case of Prosody 0.12. Hashed credentials are stored in one or the other and can't be changed afterwards.

  115. larma

    Zash, which means *proper* setups have no upgrade path to sha-256, which is exactly what I'd like to tackle somehow before we blame everyone for not implementing things that can't be upgraded on anyway

  116. Zash

    There's no upgrade path anyways

  117. larma

    There could be, we just don't have one yet.

  118. larma

    even if the upgrade only happens when you do your next password change, that's an upgrade path

  119. larma

    or it happens when you next sign in with a device that does PLAIN

  120. larma

    (which happens as soon as a client only supports PLAIN and SHA-256 and your server is still on SHA-1)

  121. larma

    however the upgrade path requires a way for the server to signal that they currently don't have the sha256 hash and thus can't use SCRAM-SHA-256

  122. larma

    and this should be per user.

  123. jonas’

    which is indistinguishable from a downgrade attack, by the way.

  124. Zash

    this

  125. larma

    a downgrade attack through an authenticated channel?

  126. Zash

    If I somehow steal your cert+privkey and get your clients to connect to me and I only offer PLAIN, I can steal their passwords.

  127. larma

    only if they have the passwod in cleartext, which they shouldn't if your server supported scram

  128. larma

    I was talking about a newly connecting client, and that would be fooled by such attack anyways

  129. jonas’

    FTR, we do have: https://tools.ietf.org/html/rfc6120#section-6.5.9

  130. larma

    also when I can get you to connect to me without -PLUS I can already steal all your messages from MAM which is probably worth way more than the password...

  131. jonas’

    given that the initial data in SCRAM is enough to identify the user, servers could reply with mechanism-too-weak on a migrated account

  132. jonas’

    not sure what to do with a non-migrated account though

  133. Zash

    Is there an "upgrade required"?

  134. larma

    jonas’, but then I can probe users again

  135. jonas’

    larma, yes

  136. larma

    also mechanism-too-weak will probably fail on clients

  137. jonas’

    can I swing my "arrogant developer hammer" again? ;)

  138. larma

    assuming clients exist that only do plain and sha-1 and server supports plain,sha-1 and sha-256 in general, but for a specific account only plain+sha-256 (because account was upgraded), the client should try sha-1 and then would get <mechanism-too-weak/> which shouldn't be interpreted as "try plain instead"

  139. larma

    = in this upgrade path a proper client would stop working for no good reason.

  140. Neustradamus_

    larma: if an XMPP client has only SCRAM-SHA-1 and server has PLAIN and SCRAM-SHA-256, it fails.

  141. Neustradamus_

    Note that an XMPP client can have in settings : force PLAIN password, ...

  142. Neustradamus_

    Screenshots: - https://i.ibb.co/RzgYTRS/psi-plus-allow-plaintext-authentication.png - https://i.ibb.co/n3vxnyT/psi-plus-encrypt-connection.png

  143. Neustradamus_

    Gajim via nbxmpp has SCRAM-SHA-256(-PLUS) and SCRAM-SHA-1(-PLUS) https://dev.gajim.org/gajim/python-nbxmpp/commit/f2a203387891455c052d44f8b1ceae711773cb81

  144. Neustradamus_

    lovetox: ^

  145. larma

    Neustradamus_, I think you are missing the point here really. There is no client that does not support PLAIN. And it's unlikely there ever will be.

  146. Maranda

    > Neustradamus_, they all store passwords in both sha1 and sha256? doubt that... They probably support sha1 and sha256 when password is stored in plaintext Why not that's what I exactly do

  147. Maranda

    > Neustradamus_, they all store passwords in both sha1 and sha256? doubt that... They probably support sha1 and sha256 when password is stored in plaintext Why not that's what I exactly do larma

  148. Neustradamus_

    Maranda: How it is done with Metronome and your XMPP server?

  149. Maranda

    I just said that I generate server keys for each hashing algorythm I support for SCRAM

  150. larma

    Maranda, but then you don't have the advantage of the more secure hashing algorithm to protect password from cracking (if password database is leaked). Because I can just attack the hash with the lowest security (sha-1)

  151. larma

    which kind of is the point of using sha-256 over sha-1

  152. Maranda

    And then most bussness infrastructures out there do still have the requirement to have at least reversible encrypted passwords, so the whole argument is kind of "a good purpose" one but again all it matters is safety and trust of the who deals with 'em.

  153. Zash

    Could someone find a cryptomath wizard and ask them to calculate the ratio of securityness between sha-256 and sha-1

  154. Zash

    ... and then we just increase the minimum iteration count by that ratio!!!

  155. Zash

    bam, sha1 forever

  156. larma

    .... that's not how this works...

  157. Maranda

    larma: i'd ditch all other mechanisms for scram-sha-512-plus already just get all clients to support that and channel binding and we have a deal

  158. larma

    Maranda, sounds like a great plan, except it doesn't work because legacy clients will always be around.

  159. Maranda

    larma: oh really? 😘

  160. larma

    😉

  161. Zash

    (and scram-sha-512-plus is undefined and doesn't exist)

  162. larma

    can we do scram-argon2d-plus please?

  163. Zash

    sure

  164. larma

    *Argon2id

  165. Zash

    I the SCRAM construct doesn't depend that much on PBKDF2

  166. Zash

    The SCRAM construct doesn't depend that much on PBKDF2

  167. Zash

    any ƒ(password, salt, iterations) → blob would do in theory

  168. Zash

    Gets weird if it takes other parameters than those tho

  169. larma

    well, it already does that

  170. larma

    SCRAM-SHA-256 has ƒ(password, salt, iterations) = sha2(32, password, salt, iterations)

  171. Zash

    You mean PBKDF2(hmac-sha-256, ..., output size)

  172. Zash

    Hi() is a special case of PBKDF2 with some predefined parameters

  173. larma

    whatever 😉 sha-256 already is sha-2 + 32 byte. So any SCRAM-ARGON-X could do the same

  174. larma

    but probably not gonna happen soonish anyway 🙁

  175. larma

    probably never

  176. Zash

    Not with that attitude :P

  177. larma

    would be too good if we weren't discussing upgrading to something that's already outdated...

  178. Zash

    SHA-2 isn't outdated?

  179. larma

    there is SHA-3, so by definition SHA-2 is outdated

  180. Zash

    SHA-2 isn't broken yet afaik

  181. larma

    yeah, wasn't saying broken

  182. larma

    sha-1 also isn't broken for our usage

  183. Zash

    I thought the point of picking a SHA-3 was to have something in case the very foundational concepts that SHA-2 (and SHA-1) are built on were broken, and that's not happen yet

  184. Zash

    Yeah, so why the push to SHA-2?

  185. Zash

    We gain nothing but pain atm

  186. larma

    It's not me who is pushing 😉

  187. larma

    I am just pushing for an upgrade path, so we can handle it should it become necessary

  188. larma

    plan the upgrade now so it can happen in 10 years or so

  189. larma

    don't do another 12-byte IV 😀

  190. Zash

    Invent a better SCRAM, one that can tell the client in a secure manner "yo, you gonna need to reset your password for security upgrade reasons"

  191. jonas’

    Zash, you can do that with SASL2 after successfully authenticating with SCRAM first

  192. Zash

    Sure

  193. Neustradamus_

    SCRAM SHA-3 is planned yes

  194. larma

    And SCRAM Argon2id?

  195. Zash

    It's tricky since you don't know at the time when you're offering mechanisms whether the user supports them.

  196. jonas’

    we’ve been at this point two hours ago

  197. Zash

    :)

  198. Zash

    And weeks/months ago.

  199. larma

    maybe we should have clients propose mechanism to the server not the other way round

  200. Zash

    I'm just copying from a script actually :P

  201. jonas’

    larma, and then what? you can still probe by looking at the mechanisms accepted for $randomUUID vs. $guessedUsername

  202. larma

    it adds complexity to the attack

  203. jonas’

    not much though

  204. Maranda

    Oh heaven so this is about brute forcing SCRAM?

  205. larma

    maybe we need a stateful authentication protocol and abandon passwords after first login

  206. jonas’

    Maranda, no

  207. jonas’

    larma, like the thing dave wrote?

  208. Maranda

    And/or possibility of

  209. jonas’

    also, I’m all for it

  210. jonas’

    Maranda, no

  211. Maranda

    jonas’: better

  212. Maranda has a log tail which could have been more interesting in that case 👨‍💻

  213. larma

    jonas’, not sure about the exact protocol, but yeah something that gives you a per-client token that can be stored by the client and also can be revoked if necessary.

  214. Zash

    OAuth?

  215. larma

    Alternatively we could only announce PLAIN in mechanisms, than get told the mechanisms supported by server *after* succesful login and be able to use SCRAM-* on later logins, ignoring that only PLAIN is announced.

  216. Zash

    What was that combined auth and stream resumption token spec called?

  217. Zash

    larma, haha

  218. larma

    Zash, 397?

  219. Zash

    That's the one

  220. jonas’

    https://tools.ietf.org/html/draft-cridland-kitten-clientkey-00 that’s the one I meant

  221. larma

    E_TOO_MANY_PROTOCOLS

  222. Zash

    Bring back https://xmpp.org/extensions/xep-0078.html !!!!11! /s

  223. larma

    Zash, IIRC in OAuth the client has to register a-priori with the service to receive the client-key, no?

  224. Zash

    It Depends!

  225. larma

    which is also why OAuth for email got no traction. email clients only support Google and Microsoft for OAuth

  226. Zash

    If you use deprecated parts of OAuth you can get a token using a password.

  227. larma

    Ah, right. But that's not how it's supposed to be.

  228. larma

    Because you can't make use of service specific login pages that do 2fa and alike then.

  229. Zash

    If you're going to use OAuth "as it's supposed to be" then you can't have nice things, only browser and web services.

  230. larma

    well non-browser clients can open a web browser to authenticate than callback to the client

  231. larma

    that's how thunderbird does googlemail

  232. Zash

    from another part of my script, I say "if I have to open a browser then I hate it"

  233. larma

    that's ok, you can still do PLAIN

  234. larma

    with a single-use password you somehow retrieved from your service

  235. larma

    (probably using a browser)

  236. dwd

    XEP-0397 is CLIENTKEY, but the SASL bits live in the I-D. The other thing you could do is XEP-0257 (or similar).

  237. larma

    dwd, xep-0397 doesn't have the counter part built-in. And it's also not asking for TOTP (which probably shouldn't have been in clientkey anyway)

  238. dwd

    Oh, wait. Wrong XEP.

  239. larma

    oh, and xep-0397 also doesn't have expiry

  240. dwd

    XEP-0399.

  241. larma

    I kind of wonder why all the TOTP is part of those XEPs

  242. larma

    seems kind of arbitrary to put it in there, as it could be completely ignored

  243. larma

    I see it makes things easier if TOTP is required, but it also works and makes sense without TOTP

  244. larma

    but in general, I'd rather see 399 being pushed than SCRAM-SHA-256

  245. dwd

    For '399? That was the driving factor for Surevine, as it happens.

  246. larma

    I mean TOTP is obviously non-normative in '399, so I am fine with that, but I'd probably want to get rid of that before moving it to draft.

  247. dwd

    So we had a requirement from the market for second-factor, based on TOTP. So we had SASL2+TOTP (in Openfire, code public), but it was a browser-based client, so we needed to avoid forcing the user to re-enter TOTP every time they refreshed, hence '399.

  248. larma

    Also CLIENT-KEY and CLIENT-KEY-PLUS would need to be IANA registered first, right?

  249. dwd

    The '399 code is also public, but it's an earlier design.

  250. larma

    dwd, yeah I guessed that TOTP was the driving force here 😉

  251. dwd

    larma, Sorta. Eventually. But they're in I-D form now.

  252. dwd

    larma, But I wouldn't remove 2FA entirely from '399 - while CLIENTKEY isn't dependent on it, it feels important that a client shouldn't ordinarily get a TOTP challenge when using CLIENTKEY, since the client installation has become the second factor, sort of.

  253. larma

    Yes, I am fine with mentioning that, basically the 4th sentence in §2.

  254. larma

    Also probably the other way round, mention it in 400, no?

  255. larma

    *mention '399 in '400