[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CRAM-MD5 applicability statement
Folks, I have a meeting conflict at work that will prevent me from being
online during the WG sessions. Here's what I have in the queue for
changes to the CRAM draft.
1) Add the following text as a third paragraph in section 1:
On Mon, 14 Aug 2006, Kurt D. Zeilenga wrote:
At IETF#66, I agreed to suggest text for a CRAM-MD5 applicability
statement suitable for inclusion in draft-ietf-sasl-crammd5-07.
The CRAM-MD5 mechanism is intended to have limited use on the
Internet. The mechanism offers inadequate protection against
common attacks against application-level protocols (see the
Security Considerations section) and is prone to interoperability
problems (see Interoperability Considerations section). Designers
considering profiling use of this mechanism in their
application-level protocols should consider alternative
mechanisms intended for common use, such as DIGEST-MD5.
2)
As indicated by my above suggestion, I see the need to add a
section that discusses known interoperability issues, such as
those due to incompatible character sets/normalizations/encodings.
This can be incorporated into an expanded Appendix D as part of the
discussion of the rationale for the changes vs. 2195.
3) Rewrite section 4 to incorporate
I also suggest starting the security consideration section with
a brief introductory paragraph that reenforces the position that
mechanism offers inadequate protection. It would be good to
conclude the section with yet another reenforcing statement.
and to clarify (and simplify) the existing text.
5) Delete the last paragraph of section 4. (I added this in the hope of
generating some discussion about applicability. It appears to have done
it's job ;-)
--lyndon