RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010

Note: This RFC has been updated by RFC 7677, RFC 9266

Source of RFC: sasl (sec)
See Also: RFC 5802 w/ inline errata

Errata ID: 2652
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Jehan Pagès
Date Reported: 2010-11-30
Verifier Name: Sean Turner
Date Verified: 2011-03-26

Section 9 says:

It should say:

Add the follow to the end of the 4th paragraph (starts with if an attacker):

  Further, implementations are RECOMMENDED to reject salt values
  shorter than 2 characters and MAY reject even longer salt values if
  they are considered to be insufficient.  See [RFC4086] on generating


The original version (in Sec 7) would allow the empty string (hence the base64 encoding of an empty string). Though it may technically be an acceptable base64 encoded string, it is not acceptable in our use as we use it for security features which are not supposed to be empty (though it is not defined this way, but common sense tells). This security consideration addresses this concern.

Report New Errata

Advanced Search