Now that 2222bis is close to reality, I would like to push the final
version of CRAM out as well. The two documents should be able to go
through together, (I hope) making life easier for the RFC editor.
I have some non-substantive editorial changes that will make the
document a bit easier to read, but these are not show stoppers. I think
all of the last round of comments are addressed in the current draft.
If not, I would like to hear from people, soon.
I would also like to solicit a few additional examples from anyone who
has implemented CRAM in other than IMAP.
Finally, we need to address the issue of the MD5 "break." I have held
off from commenting on this issue until the community has seen explicit
evidence of the attack, and the implications of it. At this point, I
don't know if the document deserves a writeup on the attack. Theory
abounds, but I haven't yet seen a practical attack that works in the
general case. We should at the least make mention of what has been
discussed, and point to the literature, but I don't think the document
deserves to discuss all the possible attacks. This doesn't mean to
discourage anyone from contributing text to the Security Considerations
section (please do).
The IMAP-EXT list has had recent discussion that points out the
ambiguity of searching for the space (SP) separator (between the user
id and the digest) as being the rightmost SP, so I will strengthen that
text. Any other comments should come forth soon as I would like to run
out the final draft at the end of next week (Oct. 8) if I can.
Cheers,
--lyndon (editor)
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf