Re: Further IESG feedback on draft-crispin-imapv-17.txt
"Jeffrey I. Schiller" <jis@mit.edu> Fri, 20 September 2002 17:28 UTC
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g8KHSdl25532 for ietf-imapext-bks; Fri, 20 Sep 2002 10:28:39 -0700 (PDT)
Received: from jis.mit.edu (JIS.MIT.EDU [18.7.21.84]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8KHSck25524 for <ietf-imapext@imc.org>; Fri, 20 Sep 2002 10:28:38 -0700 (PDT)
Received: from jis.tzo.com (localhost [127.0.0.1]) by jis.mit.edu (8.9.2/8.9.3) with ESMTP id NAA22385; Fri, 20 Sep 2002 13:28:21 -0400 (EDT)
Received: from mit.edu (jis.tzo.com [127.0.0.1]) by jis.tzo.com (8.12.3/8.12.3) with ESMTP id g8KHS8lt002664; Fri, 20 Sep 2002 13:28:08 -0400
Message-ID: <3D8B5AA8.5010409@mit.edu>
Date: Fri, 20 Sep 2002 13:28:08 -0400
From: "Jeffrey I. Schiller" <jis@mit.edu>
Organization: Massachusetts Institute of Technology
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mark Crispin <MRC@cac.washington.edu>
CC: Larry Osterman <larryo@exchange.MICROSOFT.com>, ned.freed@mrochek.com, IMAP Mailing Liste <imap@u.washington.edu>, IMAP Extensions WG <ietf-imapext@imc.org>, paf@cisco.com
Subject: Re: Further IESG feedback on draft-crispin-imapv-17.txt
References: <MailManager.1032460991.220.mrc@Ikkoku-Kan.Panda.COM>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-imapext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-imapext/mail-archive/>
List-ID: <ietf-imapext.imc.org>
List-Unsubscribe: <mailto:ietf-imapext-request@imc.org?body=unsubscribe>
I can live with Mark's proposed paragraph. -Jeff Mark Crispin wrote: > I share Larry's concern. > > We agree with the IESG that this requirement should be "mandatory to > implement". What makes it untenable for us is the implication that an > implementation which does not enforce "mandatory to deploy" is non-compliant. > > Server implementors are not in a position to enforce "mandatory to deploy", > and there are legitimate reasons why a site may choose to deploy unprotected > plaintext authentication. > > Note the following text in RFC 2595: > [...] The PLAIN SASL mechanism > MUST NOT be advertised or used unless a strong encryption layer (such > as the provided by TLS) is active or backwards compatibility dictates > otherwise. > > IESG approved this as standards-track for a new protocol (the PLAIN SASL > mechanism) which did not have any standards-track legacy to consider. IMAP, > on the other hand, has a standards-track legacy and furthermore a production > installed base dating from 1985. > > This is, to put it mildly, inconsistent. > > Is the following compromise be acceptable to the IESG? > > Note: a server implementation MUST implement a configuration in which > it does NOT permit any plaintext password mechanisms unless the > STARTTLS command described in [IMAP-TLS] has been negotiated or > some other mechanism that protects the session from password > snooping has been provided. Server sites SHOULD NOT use any > configuration which permits a plaintext password mechanism without > a protection mechanism against password snooping. Client and > server implementations SHOULD implement additional SASL mechanisms > which do not use plaintext passwords, such the GSSAPI mechanism > described in [SASL] and/or the [DIGEST-MD5] mechanism. > > This clearly puts the vendor off the hook if it has implemented the correct > mode, even if the site chooses to use the incorrect mode. >
- re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- RE: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- RE: Further IESG feedback on draft-crispin-imapv-… ned.freed
- RE: Further IESG feedback on draft-crispin-imapv-… Larry Osterman
- re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- Re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- Re: Further IESG feedback on draft-crispin-imapv-… Cyrus Daboo
- Re: Further IESG feedback on draft-crispin-imapv-… Jeffrey I. Schiller
- Re: Further IESG feedback on draft-crispin-imapv-… Jeffrey I. Schiller
- Re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… Steve Hole
- Re: Further IESG feedback on draft-crispin-imapv-… Chris Newman
- RE: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- RE: Further IESG feedback on draft-crispin-imapv-… Larry Osterman
- Further IESG feedback on draft-crispin-imapv-17.t… ned.freed