Re: AUTH method and MUST's

[Lawrence Greenfield <leg+@xxxxxxxxxxxxxx>]

   From: pregen@xxxxxxxxxxxxxxxxxx

   This may sound like a dumb question, but is DES-MD5 (which I
   believe is also called CRAM-MD5??) in use in corporations and
   companies.  I know that Kerberos is an issue and is not in wide a
   use as we may like.  Does this security requirement ensure that we
   will have softtware companies who can build tools that can
   interoperate.  Does it ensure we will have corporations and
   companies capable of running those productgs.  I know security is
   key - being a former administrator and Director of security, it's
   what I look at first.  It seems like this security piece could end
   up being a show-stopper.  Am I wrong? Can someone make me
   comfortable that if we set this security rule, we will have
   companies implement this draft??

I've never heard "CRAM-MD5" called "DES-MD5".  CRAM-MD5 can be
fully implemented without any implementation of DES.

>From a Unix point of view, CRAM-MD5 and DIGEST-MD5 both suffer from
needing the plaintext password to transition users to them.  They
also suffer from scalability problems that Kerberos doesn't; every
service that uses CRAM-MD5 or DIGEST-MD5 must be able to access a copy
of their secrets.  

They are only slightly harder to implement than plaintext passwords,
so I don't see an interoperability problem, if that's what you're
asking.

Larry