[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SASL WG session at IETF68

To: ietf-sasl@xxxxxxx
Subject: Re: SASL WG session at IETF68
From: Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>
Date: Mon, 12 Mar 2007 19:27:49 +0100
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Organization: <URL:http://purl.net/xyzzy>
References: <ldvhctqdvd7.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F55194.6040802@xxxxxxxxx> <45F58943.7FE3@xxxxxxxxxxxxxxxxx> <45F58C11.6010502@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Alexey Melnikov wrote:

>> Finally the second part says implementations won't bother
>> to check the certificate, and then PLAIN isn't good enough.

> This is the part I would like to discuss.
 
>> Now that's tricky, if it's true you could as well replace
>> the "MUST do PLAIN" by a "MUST do CRAM-MD5",
[both over TLS, obviously]

> This wouldn't fly for a set of reasons I wouldn't repeat here.

I don't recall any discussion involving you about "CRAM-MD5 over
TLS" here (or elsewhere).  But I don't read this list very long,
if it was before 2005 I've certainly missed it.

Anyway, if you don't like to replace PLAIN you can either add a
"SHOULD check cert" (the TLS RFC might have some MUSTard in this
direction, I'm too lazy to look), or maybe Sam's argument isn't
correct (?)

Frank

Follow-Ups:
- Re: SASL WG session at IETF68
  - From: Kurt Zeilenga

References:
- SASL WG session at IETF68
  - From: Tom Yu
- Re: SASL WG session at IETF68
  - From: Alexey Melnikov
- Re: SASL WG session at IETF68
  - From: Frank Ellermann
- Re: SASL WG session at IETF68
  - From: Alexey Melnikov

Prev by Date: Re: Alternative password SASL authentication mechanims
Next by Date: Re: SASL WG session at IETF68
Previous by thread: Re: SASL WG session at IETF68
Next by thread: Re: SASL WG session at IETF68
Index(es):
- Date
- Thread