Re: SASL WG session at IETF68

[Alexey Melnikov <alexey.melnikov@xxxxxxxxx>]

Frank Ellermann wrote:

> Alexey Melnikov wrote:
>
>  
>
> > Sam posted a DISCUSS on draft-siemborski-rfc2554bis-08.txt (SMTP AUTH).
> > The DISCUSS is in relationship to use of SASL PLAIN over TLS.
> > If I can't clear the DISCUSS this week, I would like to discuss it
> > during the meeting, because I think this is a general issue regarding
> > use of SASL PLAIN in protocols.
> >    
> The [Discuss] has two parts.  The first part claims that 4616 requires
> TLS as some kind of "default", but I don't see this in 4616.  Saying
> that PLAIN must not be advertised / negotiated without TLS should be
> good enough, and the I-D like 4616 do this.
>  
I've already addressed this part in the way you describe.

> The second part says that all implementations must implement STARTTLS.
> That's implied by the "MUST implement PLAIN", but saying so explicitly
> in the same paragraph with "MUST implement PLAIN" can't hurt.
>
> Finally the second part says implementations won't bother to check the
> certificate, and then PLAIN isn't good enough.
This is the part I would like to discuss.

> Now that's tricky, if it's true you could as well replace the "MUST do PLAIN" by a "MUST do
> CRAM-MD5",
This wouldn't fly for a set of reasons I wouldn't repeat here.

> remove the old "MAY CRAM-MD5", add a "SHOULD STARTTLS", and
> remove most of the PLAIN discussion, because it's just what 4616 says.
>