[Top] [All Lists]

Re: Requesting reviews: SMTP AUTH update, draft-siemborski-rfc2554bis-05.txt

2006-12-05 21:02:50

--On Monday, 27 November, 2006 17:50 +0000 Alexey Melnikov
<alexey(_dot_)melnikov(_at_)isode(_dot_)com> wrote:

I would like to solicit some reviews of the 2554bis draft.
I am planning to get it done by the end of this year, with
IETF LC in  January next year.


I've skimmed through this; nothing jumps out at me as a

Three comments:

(1) It seems a little more complex than my intuition says it
needs to be.  My intuition could be wrong.

(2) Wrt the debate about CRAM-MD5 versus DIGEST-MD5, I think
what we have been told is that neither is safe unless protected
by transmission encryption.  If that encryption is present, it
is not clear to me that CRAM-MD5 is much weaker (and it is
certainly more widely implemented and deployed).  If that
encryption is not present, I think we have been told that _no_
challenge-response mechanism based on an MD5 hash can, any
longer, be considered adequate.   If one could say "one good,
the other bad", then CRAM-MD5 ought to be history but, unless
I've misunderstood the security advice, that statement no longer

(3) The comments about line lengths of the Base64 strings, and
perhaps a few other things, smack of the possibility of having
to do an out-of-band negotiation or agreement about sizes
between client and server.  If that is not the case, the text
could use a little cleaning up, perhaps in the form of a
reference to whether the necessary lengths can be found for each
possible method.  If it is... well, that is trouble.


<Prev in Thread] Current Thread [Next in Thread>