Dave Crocker wrote:
> 1. You mean that MD5 is not a common, current practise that
> provides a useful degree of security?
The SASL-registry says "limited" for CRAM-MD5 and "common" for
DIGEST-MD5, whatever that means. I know an MSA offering...
AUTH PLAIN LOGIN CRAM-MD5
...s/CRAM-MD5/OTP/ or similar in the text can't be a good idea.
> 2. Taking note of the exact language used in the sentence
> citing MD5 -- specifically the "may be sufficient", please
> supply alternative language.
Maybe s/secure/encrypted/ in this sentence is an alternative.
What you really want is probably "stay away from LOGIN or from
PLAIN outside of TLS", and CRAM-MD5 is still better than PLAIN
LOGIN, or than SMTP-after-POP (for APOP or a plain USER PASS).
Bye, Frank
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf