--On Friday, 10 June, 2005 11:18 +0200 Brian E Carpenter
<brc@xxxxxxxxxxxxxx> wrote:
>...
> However, a BCP that states something like
>
> CRAM-MD5 is widely deployed for this purpose but due to
> known weaknesses
> [citations] is NOT RECOMMENDED. The RECOMMENDED
> alternatives are ...
>
> might have a reasonable chance of gaining consensus.
>...
And that is exactly the document that I, and others in the email
community, have been requesting for a few years now. However,
to be completely precise:
(1) "known weaknesses [citations]" is significantly different
from "we don't like it" or "we assert it is bad" or even "we
don't like things unless they contain several additional
layers". The third of these might be a reasonable statement,
but would require even more justification because...
(2) CRAM-MD5 was designed around a particular market niche and,
based on the number of implementations and how quickly they
appeared, seems to have responded correctly to it. It may be
appropriate at this point to conclude that market niche has
outlived its usefulness, but if "The RECOMMENDED
alternatives..." include only things that are significantly more
complex or require significantly more infrastructure, there is
some reason to believe that they will go nowhere fast,
independent of any pronouncements the IETF chooses to make.
john
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf