Hi. I'm not in a good position to write a long response now; let me
know if you do end up wanting a longer response and you'll get it in a
week or so.
I don't think cram-md5 is a reasonable best current practice. I think
it is accurate to describe it as a common practice.
It's my recollection that cram-md5 is vulnerable to man-in-the-middle
attacks but digest-md5 is not. It's also my recollection that
digest-md5 will do a much better job of supporting servers that do not
want to store plaintext equivalents than cram-md5. The server will
store a secret that is sufficient to log into that server but may not
be sufficient to log into other servers.
Digest-md5 also supports an integrity and confidentiality layer.
I think all of the above are significant advantages over cram-md5.
If you are concerned that digest-md5 is not sufficiently widely
implemented then let's recommend plain+tls and digest-md5. I think
those are two low-infrastructure protocols in wide use.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf