[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
From: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Date: Mon, 15 Jan 2007 11:36:17 +0000
Cc: Abhijit Menon-Sen <ams@xxxxxxxx>, Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx, lisa@xxxxxxxxxxxxxxxxx, ietf-pop3ext@xxxxxxx, robsiemb@xxxxxxxxxx
In-reply-to: <87k5zpgz7o.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-id: <ietf-pop3ext.imc.org>
List-unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@xxxxxxxxxxxxxxxxx> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@xxxxxxxxxxxx> <45A9DFA8.68E4@xxxxxxxxxxxxxxxxx> <20070114105359.GA30833@xxxxxxxxxxxxxxxx> <87k5zpgz7o.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pop3ext@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915


Simon Josefsson wrote:

Abhijit Menon-Sen <ams@xxxxxxxx> writes:

A mandatory CRAM-MD5 as recommended in BCP 46 could make sense

This draft (and rfc2554bis, which Alexey is editing) were both changed
to use DIGEST-MD5 based on concerns about security. That's the way it
was when I started editing it, so I'll change it only if there's clear
consensus about the preferred replacement.

Having implemented both client and server sides of DIGEST-MD5, I can't
say I'm very fond of it either. Personally, I'd be happy with TLS+PLAIN
or CRAM-MD5 (or whatever else makes everyone happy without a significant
security penalty; and I gather CRAM-MD5 is frowned upon in that regard).

I prefer TLS+PLAIN

That would be fine with me, even though I somewhat dislike of havingdependency on TLS.

and TLS+CRAM-MD5

This doesn't give anything over TLS+PLAIN and also doesn't supportauthorization identity.

I am against this choice.

over DIGEST-MD5 as well.  I
believe they both offer better interoperability and security than
DIGEST-MD5 currently can.

Follow-Ups:
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Arnt Gulbrandsen

References:
- "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Lisa Dusseault
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Frank Ellermann
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Abhijit Menon-Sen
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Simon Josefsson

Prev by Date: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Next by Date: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Previous by thread: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Next by thread: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Index(es):
- Date
- Thread