RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010Source of RFC: sasl (sec)
See Also: RFC 5802 w/ inline errata
Errata ID: 2652
Publication Format(s) : TEXT
Reported By: Jehan Pagès
Date Reported: 2010-11-30
Verifier Name: Sean Turner
Date Verified: 2011-03-26
Section 9 says:
It should say:
Add the follow to the end of the 4th paragraph (starts with if an attacker): Further, implementations are RECOMMENDED to reject salt values shorter than 2 characters and MAY reject even longer salt values if they are considered to be insufficient. See [RFC4086] on generating randomness.
The original version (in Sec 7) would allow the empty string (hence the base64 encoding of an empty string). Though it may technically be an acceptable base64 encoded string, it is not acceptable in our use as we use it for security features which are not supposed to be empty (though it is not defined this way, but common sense tells). This security consideration addresses this concern.