From: Kurt D. Zeilenga [mailto:Kurt(_at_)OpenLDAP(_dot_)org]
At 04:07 PM 9/7/2006, John C Klensin wrote:
I think we have a small misunderstanding here. Let me say more
clearly and briefly
My message was intended to clarify why the SASL WG is
pursuing an Informational recommendation for its RFC2195bis
work and to redirect any comments specific to this work to
the WG's list.
Well, if I remember correctly, there was ample discussion of this topic
during the IETF meeting in Paris -- both Steve Bellovin and I presented
the issues with such techniques. Basic challenge response mechanisms
like CRAM-MD5 are simply too weak to be used on the Internet. They are
subject to dictionary attacks, which can retrieve the password in a very
short time. They don't deserve much more than documentation for
historical purpose.
-- Christian Huitema
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf