Frank Ellermann wrote:
Lisa Dusseault wrote:
are we looking at the same version of this doc?
No, the last called is -07, it doesn't REQUIRE [DIGEST-MD5] anymore:
| Note that many existing client and server implementations implement
| CRAM-MD5 [CRAM-MD5] SASL mechanism. In order to insure interoperability
| with deployed software new implementations MAY implement it, however
| implementations should be aware that this SASL mechanism doesn't
| provide any server authentication. Implementations that want to provide
| server authentication are encouraged to implement SASL mechanisms such
| as DIGEST-MD5 [DIGEST-MD5].
The MAY is a bit obscure, of course they MAY do this, optionally. I'd
prefer a clearer SHOULD to s/insure/ensure/ (?) interoperability.
I didn't want to recommend it, but at the same time I wanted to let
people know that CRAM-MD5 is deployed.
If other people feel strongly about changing the MAY to the SHOULD, I
will do the change.
It has references to 2195 and 2831bis, and talks about SASLprep. How about
using 2195bis, its "security considerations" might be more up to date ?
The question of the 2195bis status (draft standard vs. informational)
will be interesting, but it won't affect 2554bis, and maybe we'll find
a compromise between those positions.
I will be glad to reference 2195bis if it gets published soon enough.
This change can be done during AUTH48.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf