[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "POP3 SASL Authentication Mechanism" submitted for publication

To: Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
From: "Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>
Date: Mon, 15 Jan 2007 12:46:40 -0800
Cc: Lisa Dusseault <lisa@xxxxxxxxxxxxxxxxx>, Arnt Gulbrandsen <arnt@xxxxxxxx>, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, <robsiemb@xxxxxxxxxx>, Abhijit Menon-Sen <ams@xxxxxxxx>, Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>, <ietf-pop3ext@xxxxxxx>, <ietf-sasl@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>
In-reply-to: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@xxxxxxxxxxxxxxxxx up.windeploy.ntdev.microsoft.com>
List-archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-id: <ietf-pop3ext.imc.org>
List-unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@xxxxxxxxxxxxxxxxx> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@xxxxxxxxxxxx> <45A9DFA8.68E4@xxxxxxxxxxxxxxxxx> <20070114105359.GA30833@xxxxxxxxxxxxxxxx> <87k5zpgz7o.fsf@xxxxxxxxxxxxxxxxxxx> <45AB6731.9090906@xxxxxxxxx> <zS/BiUKvu0x5QwxFHJEDcg.md5@xxxxxxxxxxxxxxxxxxx> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@xxxxxxxxxxxxxxxxx> <76323E9F0A911944A4E9225FACFC55BA0352C8B5@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pop3ext@xxxxxxxxxxxx

At 12:02 PM 1/15/2007, Paul Leach wrote:
>Since DIGEST-MD5 was the MTI for SASL in LDAP, I don't quite get the
>complaints about implementability -- plenty of people did it as a
>result. 

Was but is no longer LDAP's "strong" authentication method.
LDAP's current "strong" authentication method is currently
TLS-protected simple DN/password.  LDAPbis concluded DIGEST-MD5
interoperability, especially in regards to security layers,
just wasn't there.  I don't think any of LDAPbis's concerns
about DIGEST-MD5 were specific to LDAP.

>I really think that all use of plain text passwords, even over an
>encrypted tunnel to a trusted party, should be discouraged. (At
>the very least, a stern passage in the security considerations section is needed.)

I concur.

-- Kurt

References:
- "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Lisa Dusseault
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Frank Ellermann
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Abhijit Menon-Sen
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Simon Josefsson
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Alexey Melnikov
- Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Arnt Gulbrandsen
- Re: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Lisa Dusseault
- RE: "POP3 SASL Authentication Mechanism" submitted for publication
  - From: Paul Leach

Prev by Date: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Previous by thread: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Next by thread: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Index(es):
- Date
- Thread