[Top] [All Lists]

Re: I-D ACTION:draft-siemborski-rfc2554bis-02.txt (fwd)

2003-12-07 08:06:18

Rob Siemborski writes:
The most controversial issue I've hit so far is the choice of a mandatory-to-implement (at a minimum level) SASL mechanism. From the people I've talked to, it seems that the choice of DIGEST-MD5 is more popular than the choice (that IMAP made) of STARTTLS+PLAIN, so that's where the document currently stands.

I've been told that digest-md5 can be implemented without storing cleartext passwords. Is that correct? I found an expired draft which suggests that it's true in some circumstances (when the realm is not sensitive).

If that's correct, then I think DIGEST-MD5 is an excellent choice. No cleartext on the wire, often no cleartext on the server, and the client need not trust the server.

I like it.

For example, suppose a user already has logged in to an IMAP or POP server, then sends some mail, and the SMTP server challenges the client to produce credentials.

With DIGEST-MD5 the client can try a response immediately, based on the IMAP/POP password. If it's the right one, the user did not have to retype the password (possibly in front of company). If it's wrong, the SMTP client hasn't revealed the user's password.

Very good.


<Prev in Thread] Current Thread [Next in Thread>