Re: Digest-MD5 to Historic

["Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>]

Alexey Melnikov wrote:

> I think the text you've suggested would be good for an 
> interoperability report on an update to DIGEST-MD5 itself.

I have just learned that XMPP also uses DIGEST-MD5, and my
MD5 test suite does not yet include the 3920bis example :-(

The complete "deprecate 2831" plan is premature, maybe we
should pick your old 2831bis draft, remove the new features
including "bindings", remove the old "auth" variants as not
unnecessary for current common practice, and publish the
rest as 2831bis "draft standard" with three clear warnings:

- interoperability is non-trivial, and guaranteed to fail
  for MD5-sess wrt RFC 2617 MD5-sess
- all passwords, user names, and realms are supposed to be
  in SASLprep UTF-8
- new intended usage "rare" or whatever the opposite of 
  "common" is (=> update SASL registry), anybody trying to
  replace CRAMMD5 by DIGEST-MD5 is a public danger and in
  need of medical help ;-)

> My "DIGEST-MD5 to historic" draft was never intended as a
> detailed description of all things broken in DIGEST-MD5.

Yes, your 2831bis draft was better for this purpose.  When
you (this WG) decided to deprecate it, did anybody check 
the normative references *to* RFC 2831 ?  Bill created a
nice tool for this job:
 
http://rtg.ietf.org/~fenner/ietf/deps/index.cgi?dep=rfc2831

 Frank