[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]
Ian Paterson
ian.paterson at clientside.co.uk
Tue Sep 11 11:20:24 CDT 2007
Peter Saint-Andre wrote:
> Back in August I emailed about this issue [1] with the IETF area
> directors for applications and security, relevant WG chairs, and
> interested others. The conclusion was that in rfc3920bis we would make
> the following changes to the mandatory-to-implement technologies:
>
> 1. Remove DIGEST-MD5
>
I strongly disagree. Restrained (Web) clients can't implement TLS over
TCP/IP. So without DIGEST-MD5 the passwords would end up being
transmitted in the clear!
Even where TLS is available, SASL PLAIN requires server operators to
keep copies of all users' passwords. This is a serious (and often
unnecessary) security weakness.
TLS + DIGEST-MD5 is stronger than TLS + SASL PLAIN
> 2. Add TLS + SASL PLAIN
>
I agree.
- Ian
More information about the Standards
mailing list