[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SASL WG session at IETF68
Frank Ellermann wrote:
Alexey Melnikov wrote:
Sam posted a DISCUSS on draft-siemborski-rfc2554bis-08.txt (SMTP AUTH).
The DISCUSS is in relationship to use of SASL PLAIN over TLS.
If I can't clear the DISCUSS this week, I would like to discuss it
during the meeting, because I think this is a general issue regarding
use of SASL PLAIN in protocols.
The [Discuss] has two parts. The first part claims that 4616 requires
TLS as some kind of "default", but I don't see this in 4616. Saying
that PLAIN must not be advertised / negotiated without TLS should be
good enough, and the I-D like 4616 do this.
I've already addressed this part in the way you describe.
The second part says that all implementations must implement STARTTLS.
That's implied by the "MUST implement PLAIN", but saying so explicitly
in the same paragraph with "MUST implement PLAIN" can't hurt.
Finally the second part says implementations won't bother to check the
certificate, and then PLAIN isn't good enough.
This is the part I would like to discuss.
Now that's tricky, if it's true you could as well replace the "MUST do PLAIN" by a "MUST do
This wouldn't fly for a set of reasons I wouldn't repeat here.
remove the old "MAY CRAM-MD5", add a "SHOULD STARTTLS", and
remove most of the PLAIN discussion, because it's just what 4616 says.