[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "POP3 SASL Authentication Mechanism" submitted for publication

To: Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
From: Lyndon Nerenberg <lyndon@xxxxxxxxxx>
Date: Mon, 15 Jan 2007 12:28:00 -0800 (PST)
Cc: Lisa Dusseault <lisa@xxxxxxxxxxxxxxxxx>, Arnt Gulbrandsen <arnt@xxxxxxxx>, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, robsiemb@xxxxxxxxxx, Abhijit Menon-Sen <ams@xxxxxxxx>, Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, ietf-pop3ext@xxxxxxx, ietf-sasl@xxxxxxx, Simon Josefsson <simon@xxxxxxxxxxxxx>
In-reply-to: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-id: <ietf-pop3ext.imc.org>
List-unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>
Organization: The Frobozz Magic Homing Pigeon Company
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@xxxxxxxxxxxxxxxxx> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@xxxxxxxxxxxx> <45A9DFA8.68E4@xxxxxxxxxxxxxxxxx> <20070114105359.GA30833@xxxxxxxxxxxxxxxx> <87k5zpgz7o.fsf@xxxxxxxxxxxxxxxxxxx> <45AB6731.9090906@xxxxxxxxx> <zS/BiUKvu0x5QwxFHJEDcg.md5@xxxxxxxxxxxxxxxxxxx> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@xxxxxxxxxxxxxxxxx> <76323E9F0A911944A4E9225FACFC55BA0352C8B5@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pop3ext@xxxxxxxxxxxx


On Mon, 15 Jan 2007, Paul Leach wrote:

I worry that having TLS+PLAIN be the MTI sends an implicit message that
it is "good enough". I really think that all use of plain text
passwords, even over an encrypted tunnel to a trusted party, should be
discouraged. (At the very least, a stern passage in the security
considerations section is needed.) It is well known that users use the
same password on many different servers, so TLS+PLAIN lets any such
server act as the user to any other server.

I strongly agree with this. In many corporate environments this sort ofpassword re-use is enforced behaviour, mandated by corporate "security"policy. Strange, but true.



--lyndon

  Never look at the trombones. You'll only encourage them.
  			-- Robert Strauss, on conducting

References:
- "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Lisa Dusseault
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Frank Ellermann
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Abhijit Menon-Sen
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Simon Josefsson
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Alexey Melnikov
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Arnt Gulbrandsen
- Re: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Lisa Dusseault
- RE: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Paul Leach

Prev by Date: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Next by Date: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Previous by thread: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Next by thread: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Index(es):
- Date
- Thread