Skip to main content

The Hashed Token SASL Mechanism

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Florian Schmaus , Christoph Egger
Last updated 2023-05-10 (Latest revision 2022-11-06)
RFC stream (None)
Intended RFC status (None)
Additional resources GitHub Repository
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document specifies the family of Hashed Token SASL mechanisms which enable a proof-of-possession-based authentication scheme and are meant to be used for quick re-authentication of a previous session. The Hashed Token SASL mechanism's authentication sequence consists of only one round-trip. The usage of short-lived, exclusively ephemeral hashed tokens is achieving the single round- trip property. The SASL mechanism specified herin further provides hash agility, mutual authentication and support for channel binding.


Florian Schmaus
Christoph Egger

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)