RE: Further IESG feedback on draft-crispin-imapv-17.txt
Mark Crispin <MRC@cac.washington.edu> Thu, 19 September 2002 20:32 UTC
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g8JKWS424274 for ietf-imapext-bks; Thu, 19 Sep 2002 13:32:28 -0700 (PDT)
Received: from Ikkoku-Kan.Panda.COM (den@panda.com [206.124.149.114]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8JKWRk24270 for <ietf-imapext@imc.org>; Thu, 19 Sep 2002 13:32:27 -0700 (PDT)
Received: from Ikkoku-Kan.Panda.COM (Ikkoku-Kan.Panda.COM [192.107.14.50]) by Ikkoku-Kan.Panda.COM id NAA06883; Thu, 19 Sep 2002 13:32:02 -0700 (PDT)
Date: Thu, 19 Sep 2002 11:43:11 -0700
From: Mark Crispin <MRC@cac.washington.edu>
Subject: RE: Further IESG feedback on draft-crispin-imapv-17.txt
To: Larry Osterman <larryo@exchange.MICROSOFT.com>
cc: ned.freed@mrochek.com, IMAP Mailing Liste <imap@u.washington.edu>, IMAP Extensions WG <ietf-imapext@imc.org>, paf@cisco.com, jis@mit.edu
In-Reply-To: <72C5FDA4D9CC3045B80EA1B76DB86A99ED2CB0@DF-BOWWOW.platinum.corp.microsoft.com>
Message-ID: <MailManager.1032460991.220.mrc@Ikkoku-Kan.Panda.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET="US-ASCII"
Sender: owner-ietf-imapext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-imapext/mail-archive/>
List-ID: <ietf-imapext.imc.org>
List-Unsubscribe: <mailto:ietf-imapext-request@imc.org?body=unsubscribe>
I share Larry's concern. We agree with the IESG that this requirement should be "mandatory to implement". What makes it untenable for us is the implication that an implementation which does not enforce "mandatory to deploy" is non-compliant. Server implementors are not in a position to enforce "mandatory to deploy", and there are legitimate reasons why a site may choose to deploy unprotected plaintext authentication. Note the following text in RFC 2595: [...] The PLAIN SASL mechanism MUST NOT be advertised or used unless a strong encryption layer (such as the provided by TLS) is active or backwards compatibility dictates otherwise. IESG approved this as standards-track for a new protocol (the PLAIN SASL mechanism) which did not have any standards-track legacy to consider. IMAP, on the other hand, has a standards-track legacy and furthermore a production installed base dating from 1985. This is, to put it mildly, inconsistent. Is the following compromise be acceptable to the IESG? Note: a server implementation MUST implement a configuration in which it does NOT permit any plaintext password mechanisms unless the STARTTLS command described in [IMAP-TLS] has been negotiated or some other mechanism that protects the session from password snooping has been provided. Server sites SHOULD NOT use any configuration which permits a plaintext password mechanism without a protection mechanism against password snooping. Client and server implementations SHOULD implement additional SASL mechanisms which do not use plaintext passwords, such the GSSAPI mechanism described in [SASL] and/or the [DIGEST-MD5] mechanism. This clearly puts the vendor off the hook if it has implemented the correct mode, even if the site chooses to use the incorrect mode.
- re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- RE: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- RE: Further IESG feedback on draft-crispin-imapv-… ned.freed
- RE: Further IESG feedback on draft-crispin-imapv-… Larry Osterman
- re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- Re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… ned.freed
- Re: Further IESG feedback on draft-crispin-imapv-… Cyrus Daboo
- Re: Further IESG feedback on draft-crispin-imapv-… Jeffrey I. Schiller
- Re: Further IESG feedback on draft-crispin-imapv-… Jeffrey I. Schiller
- Re: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- Re: Further IESG feedback on draft-crispin-imapv-… Steve Hole
- Re: Further IESG feedback on draft-crispin-imapv-… Chris Newman
- RE: Further IESG feedback on draft-crispin-imapv-… Mark Crispin
- RE: Further IESG feedback on draft-crispin-imapv-… Larry Osterman
- Further IESG feedback on draft-crispin-imapv-17.t… ned.freed