* Magnus Hagander (magnus@hagander.net) wrote:
> On Wed, Mar 4, 2015 at 5:03 PM, Stephen Frost <sfrost@snowman.net> wrote:
> > No, I'm not suggesting that OpenSSL or TLS become mandatory but was
> > thinking it might be good alternative as a middle-ground between full
> > client-and-server side certificates and straight password-based auth
> > (which is clearly why it was invented in the first place) and so, yes,
> > md5 would still have to be kept around, but we'd at least be able to
> > deprecate it and tell people "Use TLS-SRP if you really want to use
> > passwords and care about network security".
> >
> > SCRAM doesn't actually fix the issue with network connection hijacking
> > or eavesdropping, except to the extent that it protects the password
> > itself, and so we might want to recommend, for people who are worried
> > about network-based attacks, using TLS-SRP.
>
> Assuming we do implement SCRAM, what does TLS-SRP give us that we wouldn't
> get by just using SCRAM over a TLS connection?
Good question and I'll have to dig more into that. SCRAM does appear to
support channel binding with TLS and therefore there might not be much
to be gained from having both.
Thanks!
Stephen