> From: Kurt D. Zeilenga [mailto:Kurt@xxxxxxxxxxxx] > At 04:07 PM 9/7/2006, John C Klensin wrote: > >I think we have a small misunderstanding here. Let me say more > >clearly and briefly > > My message was intended to clarify why the SASL WG is > pursuing an Informational recommendation for its RFC2195bis > work and to redirect any comments specific to this work to > the WG's list. Well, if I remember correctly, there was ample discussion of this topic during the IETF meeting in Paris -- both Steve Bellovin and I presented the issues with such techniques. Basic challenge response mechanisms like CRAM-MD5 are simply too weak to be used on the Internet. They are subject to dictionary attacks, which can retrieve the password in a very short time. They don't deserve much more than documentation for historical purpose. -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf