PR #602 - Mechanism table update (for now, doc only proposal)

Rick van Rein rick at openfortress.nl
Wed Mar 25 06:38:10 EDT 2020


Hello,

This is a note that I posted a Pull Request on Cyrus SASL.  There are a
few serious problems in the mechanism table, and I hope this makes it a
bit more useful for users to decide on what mechanisms to use.

-Rick


In a few steps, I've revised the table of authentication mechanisms.
This table was long overdue for such an update, I think.

I added columns for Post Quantum protection (which is not an issue for
authentication until Quantum Computers actually arrive, unlike for
encryption, but systems change slowly so this is a useful aspect to
document).

I added a column for the current state according to the IANA registry of
SASL mechanism names.

I could not find anything on G2, and am wondering if it might be a
misspelled GS2 name?

I have removed the remark about encryption from MAX SSF, as this is not
considered of value in SASL anymore; it is mostly about authentication
not encryption. I updated the description to reference brute-force
search space instead, and added a value for low password quality and
many-rounds effort on low password quality. The term MAX SSF might
suggest that the password quality can be 128 bit, however, which is one
of many ways in which the whole MAX SSF notion is confusing and perhaps
disinformation.

I edited the MAX SSF column, and am well aware that it is subjective.
Still, it did not reflect reality at all -- Kerberos5 has long
deprecated DES, EXTERNAL is usually based on strong crypto, and so on.

I tried to make separately rejectable/acceptable commits out of this.
Please use that when you (dis)agree with (parts of) this proposal. Any
of these updates would improve the table, IMHO.


More information about the Cyrus-sasl mailing list