Frank Ellermann wrote:
william(at)elan.net wrote:
CRAM-M5 and DIGEST-MD5 are not considered (no longer
considered) to be good authentication methods when used
across the Internet.
The default translation for such statements is "VeriSign
wants to sell its PKI", therefore I (try to) look for the
real reasons starting with an assumption of "commercial
interests by vendors of wannabe-better-than-KISS schemes".
Yeah, I'm spoiled, bye, Frank
<http://purl.net/xyzzy/src/md5.cmd> (REXX MD5 stuff)
OK. But no need for all that. OpenSSL certs are all you need for TLS.
It's a bit of a pain to set up (no point and click, you actually have
to RTFM), but once you've got TLS, then it's no problem at all to use
whatever you want. If it's your own server, you can even authenticate
based just on the cert and skip the whole username password issue.
No Verisign PKI required.
Scott K