ietf
[Top] [All Lists]

Re: Last Call: 'Email Submission Between Independent Networks' to BCP

2005-06-10 14:24:22
Kurt D. Zeilenga wrote:

And if they don't like CRAM-MD5 what they'll get is LOGIN or
PLAIN _without_ TLS, sigh.
 
I disagree with this statement.  Today, many email client
and server supports TLS

Not my favourite old MUA, unfortunately.  When I implement a
simple script I'm limited to a socket interface, and in that
case cram-md5 / digest-md5 / otp is the best I have.  And the
server in question offers login / plain / cram-md5 for AUTH.

I think the best option for this protocol, given issues
raised by Simon regarding DIGEST-MD5, is TLS+PLAIN.

Where that's possible it's fine.  I'm more interested in the
case where it's impossible.  My understading of the draft is:

"Whatever you do stay away from PLAIN (or the obsolete LOGIN)
 without TLS, use at least CRAM-MD5".

Maybe Brian's proposed compromise covers this concept somehow.
And he wanted "known weaknesses [citations]".  That's about
today, not about some results of the not yet existing HASH WG
in 2006 or later.
                      Bye, Frank



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



<Prev in Thread] Current Thread [Next in Thread>