Hi Philip, thanks for the review. But are we looking at the same
version of this doc? We dealt with this after doing a pseudo-WG-last-
call on the SMTP mailing list and the -07 draft now has:
To ensure interoperability, client and server implementations
of this extension MUST implement the [PLAIN] SASL mechanism.
Note: a server implementation MUST implement a configuration
in which it does NOT permit any plaintext password
mechanisms,
unless either the STARTTLS [SMTP-TLS] command has been
negotiated or some other mechanism that protects the session
from password snooping has been provided. Server sites
SHOULD
NOT use any configuration which permits a plaintext password
mechanism without such a protection mechanism against
password
snooping.
Lisa
On Jan 24, 2007, at 7:15 PM, Philip Guenther wrote:
On Wed, 24 Jan 2007, The IESG wrote:
The IESG has received a request from an individual submitter to
consider
the following document:
- 'SMTP Service Extension for Authentication '
<draft-siemborski-rfc2554bis-07.txt> as a Proposed Standard
draft-siemborski-rfc2554bis does not appear to contain any text
similar to the last paragraph of section 4 in the rfc1734bis draft,
requiring servers to support a configuration that does not permit
passive password snooping.
I disagree with the choice of DIGEST-MD5 as the mandatory-to-
implement mechanism. Given that many of the other protocols likely
to be used by an SMTP client, such as POP3, IMAP4rev1, and LDAP,
have chosen to specify "TLS followed by a cleartext password
authentication" as their MtI authentication method, specifying
DIGEST-MD5 here seems like a needless difference. I see no reason
to believe DIGEST-MD5 will be more deployable in SMTP/submission
servers than in IMAP, POP3, or LDAP servers.
Philip Guenther
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf