[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]

Greg Hudson ghudson at MIT.EDU
Wed Sep 12 16:44:11 UTC 2007


On Tue, 2007-09-11 at 19:51 +0100, Dave Cridland wrote:
> If I ruled the world, I'd mandate TLS+SCRAM, and have a SHOULD for  
> TLS+YAP (the latter being plaintext-equiv on the server, but only a  
> single round-trip, so great for mobiles).

You may be missing the most popular reason for sending plain-text
passwords to the server (over TLS, one hopes): it's the only way for the
server to check the password against an external verifier such as an
LDAP server, AD controller, or Kerberos KDC.  (GSSAPI krb5 auth is much
better if you have an AD controller or Kerberos KDC, of course, but I
don't hold out much hope for that being universally implemented in
clients.)





More information about the Standards mailing list