On 8/11/19 3:56 PM, Peter Eisentraut wrote: > On 2019-08-11 21:46, Jonathan S. Katz wrote: >> On 8/11/19 1:00 PM, Peter Eisentraut wrote: >>> On 2019-08-09 23:56, Jeff Davis wrote: >>>> 1. Hierarchical semantics, where you specify the least-secure >>>> acceptable method: >>>> >>>> password_protocol = {any,md5,scram-sha-256,scram-sha-256-plus} >>> >>> What would the hierarchy be if scram-sha-512 and scram-sha-512-plus are >>> added? >> >> password_protocol = >> {any,md5,scram-sha-256,scram-sha-512,scram-sha-256-plus,scram-sha-512-plus}? >> >> I'd put one length of digest over another, but I'd still rank a method >> that uses channel binding has more protections than one that does not. > > Sure, but the opposite opinion is also possible.
That's true, and when originally started composing my note I had it as (256,512,256-plus,512-plus). But upon further reflection, the reason I ranked the digest-plus methods above the digest methods is that there is any additional requirement imposed by them. The digest methods could be invoked either with/without TLS, whereas the digest-plus methods *must* use TLS. As such, 256-plus is explicitly asking for an additional security parameter over 512, i.e. transmission over TLS, so even if it's a smaller digest, it has the additional channel binding requirement. Jonathan
signature.asc
Description: OpenPGP digital signature