[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication

To: Abhijit Menon-Sen <ams@xxxxxxxx>
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Sun, 14 Jan 2007 20:55:39 +0100
Cc: Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx, lisa@xxxxxxxxxxxxxxxxx, ietf-pop3ext@xxxxxxx, robsiemb@xxxxxxxxxx, alexey.melnikov@xxxxxxxxx
In-reply-to: <20070114105359.GA30833@xxxxxxxxxxxxxxxx> (Abhijit Menon-Sen's message of "Sun\, 14 Jan 2007 16\:23\:59 +0530")
List-archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-id: <ietf-pop3ext.imc.org>
List-unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@xxxxxxxxxxxxxxxxx> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@xxxxxxxxxxxx> <45A9DFA8.68E4@xxxxxxxxxxxxxxxxx> <20070114105359.GA30833@xxxxxxxxxxxxxxxx>
Sender: owner-ietf-pop3ext@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.92 (gnu/linux)

Abhijit Menon-Sen <ams@xxxxxxxx> writes:

>> A mandatory CRAM-MD5 as recommended in BCP 46 could make sense
>
> This draft (and rfc2554bis, which Alexey is editing) were both changed
> to use DIGEST-MD5 based on concerns about security. That's the way it
> was when I started editing it, so I'll change it only if there's clear
> consensus about the preferred replacement.
>
> Having implemented both client and server sides of DIGEST-MD5, I can't
> say I'm very fond of it either. Personally, I'd be happy with TLS+PLAIN
> or CRAM-MD5 (or whatever else makes everyone happy without a significant
> security penalty; and I gather CRAM-MD5 is frowned upon in that regard).

I prefer TLS+PLAIN and TLS+CRAM-MD5 over DIGEST-MD5 as well.  I
believe they both offer better interoperability and security than
DIGEST-MD5 currently can.

/Simon

Follow-Ups:
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Alexey Melnikov

References:
- "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Lisa Dusseault
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Frank Ellermann
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Abhijit Menon-Sen

Prev by Date: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Next by Date: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Previous by thread: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Next by thread: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Index(es):
- Date
- Thread