Lisa Dusseault wrote:
are we looking at the same version of this doc?
No, the last called is -07, it doesn't REQUIRE [DIGEST-MD5] anymore:
| Note that many existing client and server implementations implement
| CRAM-MD5 [CRAM-MD5] SASL mechanism. In order to insure interoperability
| with deployed software new implementations MAY implement it, however
| implementations should be aware that this SASL mechanism doesn't
| provide any server authentication. Implementations that want to provide
| server authentication are encouraged to implement SASL mechanisms such
| as DIGEST-MD5 [DIGEST-MD5].
The MAY is a bit obscure, of course they MAY do this, optionally. I'd
prefer a clearer SHOULD to s/insure/ensure/ (?) interoperability. It
has references to 2195 and 2831bis, and talks about SASLprep. How about
using 2195bis, its "security considerations" might be more up to date ?
The question of the 2195bis status (draft standard vs. informational)
will be interesting, but it won't affect 2554bis, and maybe we'll find
a compromise between those positions.
Frank
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf