[Standards] [Fwd: Future of DIGEST-MD5]

Peter Saint-Andre stpeter at jabber.org
Mon Mar 19 15:28:45 UTC 2007

FYI. Since RFC 3920 mandates DIGEST-MD5, this may be of interest 
regarding rfc3920bis. Provide feedback on the ietf-sasl at imc.org list.


-------- Original Message --------
Date: Sun, 18 Mar 2007 10:56:30 +0000
From: Alexey Melnikov <alexey.melnikov at isode.com>
To: ietf-sasl at imc.org
Subject: Future of DIGEST-MD5

Hi folks,
During recent IETF Last Calls on SMTP and POP3 AUTH documents it became
quite clear that implementors didn't like DIGEST-MD5 for the following

1). it is complex to implement and has too many options that don't
interoperate well
2). it has some minor design flaws (e.g. lack of protection of the qop
and cipher lists sent by the server, doesn't provide hash agility)
3). some features cause pain for sysadmins (e.g. renaming a user
invalidates SS hash)

I am also seeing general lack of interest in the document. Even though
it was fun learning new things while working on DIGEST-MD5, I am feeling
like I am dragging both the carriage and the horse. Which makes me
wonder if I should continue to spend my time on this document (*).
Having said that I see some alternatives in moving forward:

1). Abandon 2831bis. Possibly publish a document moving RFC 2821 to
Historic. (**)
2). Abandon attempts to fix RFC 2831. Publish 2831bis which only
clarifies ambiguities and fixes obvious bugs. It will document features
which must not be used due to lack of interoperability. The document
will not define any new features, i.e. no channel bindings, SASLPrep,
fixed confidentiality layer, etc. (**)
3). Get 2831bis published.

So I would like to poll the WG to see what the WG preference is.


(*) I have 20 or so other documents I am [co-]editing so I would rather
concentrate on getting them finished.

(**) WG time might be better spent on designing a new mechanism that is
simpler than DIGEST-MD5 and/or has better properties. I got impressions
that many people think that it would be nice to have a SASL mechanism
which has properties similar to the ones provided by DIGEST-MD5.

Peter Saint-Andre
XMPP Standards Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070319/7bd25635/attachment.bin>

More information about the Standards mailing list