Security (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)

[Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>]

| CRAM-MD5 is no longer considered to provide adequate protection.

That's not the case, as it depends on the circumstances where
CRAM-MD5 is used.  E.g. over TLS it could be fine (ignoring the
issue discussed in a separate thread wrt 2554bis), and CRAM-MD5
is certainly better than APOP (as stated in 2195) or "LOGIN".

It's also "better" than DIGEST-MD5 where it's easy to implement
and almost impossible to get it wrong.  Where somebody managed
to implement 2069 / 2617 / 2831 / 2831bis with their many more
or less subtle differences CRAM-MD5 still isn't much worse for
its purpose:  It only has no <cnonce> and no <response-auth>.

That's noted in the 3rd paragraph of the security considerations.
Readers are able to draw their own conclusions without this 
"executive summary" at the begin.  Besides there is already
another summary in the intro:

| The mechanism offers inadequate protection against common
| attacks against application-level protocols (see Section 5)
| and is prone to interoperability problems (see Section 4).

Section 5 explains why that's not limited to application-
level protols, therefore this statement could be truncated:

| The mechanism offers inadequate protection against common
| attacks (see Section 5).

Frank