Re: Client and server authentication for email

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>> "John" == John C Klensin <john-ietf@xxxxxxx> writes:

    John> Scott, I'll leave it to you, Ted, and your IESG colleagues
    John> to figure out what priority this has, but it seems to me
    John> that this topic is, at some point, worth some serious
    John> discussion.  If the security community has really concluded
    John> that authentication without encryption is no longer
    John> acceptable --and it certainly sounds that way from the
    John> discussions of the last week, put into context by
    John> Christian's explanation-- then we have a task in front of us
    John> to start upgrading or deprecating almost every application
    John> protocol we have, back to and including Telnet.

I think most of the application protocols are already upgraded
including telnet.  Certainly, LDAP, IMAP, SMTP,XMPP, POP, ftp all work
reasonably well and support binding of authentication to encryption.
I've deployed all of these with the exception of pop in what I believe
to be a secure manner.  SIP and related protocols are also securely
designed but for a variety of reasons take a different approach than
most of the applications protocols.

I agree this is an important topic to discuss.  My personal guess is
that we're doing a fairly good job of protocol design, but that the
deployment of security still lags behind.  Cram-md5 is in fact widely
deployed.  There are some real problems that make digest-md5 and
cram-md5 hard to deploy; this is true for things even more secure than
digest-md5 as well.  I think we're at a point today where we can
describe the problem to people and tell them they should be using
mechanisms that bind authentication to integrity protection.  However
until the security community gets done with a more compelling case for
some of the deployment issues and until vendors pick actually
implement this, I don't think we can go for the sort of mass
deprecation that your mail might contemplate.

Also, I deeply regret the fact that my earlier mail came across as
personal assertion.  I was (and still am) hurried and trying to dig
myself out from under a huge mail backlog.  I wish that I had a chance
to write something more useful.


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]