[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]

Ian Paterson ian.paterson at clientside.co.uk
Tue Sep 11 16:20:24 UTC 2007


Peter Saint-Andre wrote:
> Back in August I emailed about this issue [1] with the IETF area
> directors for applications and security, relevant WG chairs, and
> interested others. The conclusion was that in rfc3920bis we would make
> the following changes to the mandatory-to-implement technologies:
>
> 1. Remove DIGEST-MD5
>   

I strongly disagree. Restrained (Web) clients can't implement TLS over 
TCP/IP. So without DIGEST-MD5 the passwords would end up being 
transmitted in the clear!

Even where TLS is available, SASL PLAIN requires server operators to 
keep copies of all users' passwords. This is a serious (and often 
unnecessary) security weakness.

TLS + DIGEST-MD5 is stronger than TLS + SASL PLAIN

> 2. Add TLS + SASL PLAIN
>   

I agree.

- Ian




More information about the Standards mailing list