RFC 4643, "Network News Transfer Protocol (NNTP) Extension for Authentication", October 2006

Errata ID: 8515
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Julien ÉLIE
Date Reported: 2025-07-16

Section 2.4.2 says:

To ensure interoperability, client and server implementations of this
extension MUST implement the [DIGEST-MD5] SASL mechanism.

It should say:

To ensure interoperability, client and server implementations of this
extension MUST implement the [SCRAM-SHA-256] SASL mechanism.

Notes:

The DIGEST-MD5 mechanism was marked as obsolete more than a decade ago, in 2011, by RFC 6331 ("Moving DIGEST-MD5 to Historic") because of several flaws. The new recommendation is to use SCRAM:

The Salted Challenge Response Authentication Mechanism (SCRAM) family
of SASL mechanisms [RFC5802] has been developed to provide similar
features as DIGEST-MD5 but with a better design.

SASL libraries begin to retire DIGEST-MD5 so it may no longer be available in current software implementations. I believe another mechanism should be mentioned in RFC 4643 for interoperability. Either SCRAM-SHA-256 or SCRAM-SHA-512 (which may last some more years) for instance.

DIGEST-MD5 should also be removed from all the examples it appears in RFC 4643.

Report New Errata