ietf
[Top] [All Lists]

Re: Last Call: draft-siemborski-rfc2554bis (SMTP Service Extension for Authentication) to Proposed Standard

2007-01-26 15:59:18
Hi Philip, thanks for the review. But are we looking at the same version of this doc? We dealt with this after doing a pseudo-WG-last- call on the SMTP mailing list and the -07 draft now has:

          To ensure interoperability, client and server implementations
          of this extension MUST implement the [PLAIN] SASL mechanism.

          Note: a server implementation MUST implement a configuration
in which it does NOT permit any plaintext password mechanisms,
          unless either the STARTTLS [SMTP-TLS] command has been
          negotiated or some other mechanism that protects the session
from password snooping has been provided. Server sites SHOULD
          NOT use any configuration which permits a plaintext password
mechanism without such a protection mechanism against password
          snooping.

Lisa


On Jan 24, 2007, at 7:15 PM, Philip Guenther wrote:

On Wed, 24 Jan 2007, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:

- 'SMTP Service Extension for Authentication '
  <draft-siemborski-rfc2554bis-07.txt> as a Proposed Standard


draft-siemborski-rfc2554bis does not appear to contain any text similar to the last paragraph of section 4 in the rfc1734bis draft, requiring servers to support a configuration that does not permit passive password snooping.

I disagree with the choice of DIGEST-MD5 as the mandatory-to- implement mechanism. Given that many of the other protocols likely to be used by an SMTP client, such as POP3, IMAP4rev1, and LDAP, have chosen to specify "TLS followed by a cleartext password authentication" as their MtI authentication method, specifying DIGEST-MD5 here seems like a needless difference. I see no reason to believe DIGEST-MD5 will be more deployable in SMTP/submission servers than in IMAP, POP3, or LDAP servers.


Philip Guenther

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf