Re: Last Call: 'Email Submission Between Independent Networks' to BCP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.  I'm not in a good position to write a long response now; let me
know if you do end up wanting a longer response and you'll get it in a
week or so.

I don't think cram-md5 is a reasonable best current practice.  I think
it is accurate to describe it as a common practice.  

It's my recollection that cram-md5 is vulnerable to man-in-the-middle
attacks but digest-md5 is not.  It's also my recollection that
digest-md5 will do a much better job of supporting servers that do not
want to store plaintext equivalents than cram-md5.  The server will
store a secret that is sufficient to log into that server but may not
be sufficient to log into other servers.


Digest-md5 also supports an integrity and confidentiality layer.

I think all of the above are significant advantages over cram-md5.

If you are concerned that digest-md5 is not sufficiently widely
implemented then let's recommend plain+tls and digest-md5.  I think
those are two low-infrastructure protocols in wide use.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]