IETF Logo Mail Archive

Re: "POP3 SASL Authentication Mechanism" submitted for publication

Lisa Dusseault <lisa@osafoundation.org> Mon, 15 January 2007 17:52 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FHqanL056430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 10:52:36 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FHqaTp056427; Mon, 15 Jan 2007 10:52:36 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from laweleka.osafoundation.org (laweleka.osafoundation.org [204.152.186.98]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FHqWg5056416; Mon, 15 Jan 2007 10:52:32 -0700 (MST) (envelope-from lisa@osafoundation.org)
Received: from localhost (localhost [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id CE00514227C; Mon, 15 Jan 2007 09:52:31 -0800 (PST)
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00456-05; Mon, 15 Jan 2007 09:52:30 -0800 (PST)
Received: from [192.168.1.101] (c-69-181-78-47.hsd1.ca.comcast.net [69.181.78.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 8726F14227D; Mon, 15 Jan 2007 09:52:25 -0800 (PST)
In-Reply-To: <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, robsiemb@google.com, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-pop3ext@imc.org, ietf-sasl@imc.org, Simon Josefsson <simon@josefsson.org>
Content-Transfer-Encoding: 7bit
From: Lisa Dusseault <lisa@osafoundation.org>
Subject: Re: "POP3 SASL Authentication Mechanism" submitted for publication
Date: Mon, 15 Jan 2007 09:52:22 -0800
To: Arnt Gulbrandsen <arnt@oryx.com>
X-Mailer: Apple Mail (2.752.2)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

I think we might have rough consensus around TLS+PLAIN as the  
"Mandatory to Implement" mechanism.  Note that
having a single "MTI" mechanism still allows people to implement and  
use additional mechanisms.  It also allows administrators to decide  
that TLS+PLAIN is not good enough for their site policy and disable  
it,  even though their server software supports it as required.

Since there's not an official WG to poll, I'm basing this conclusion  
on a handful of private comments on this draft as well as messages to  
this list.  If anybody wants to add their voice, please do so.

thx,
Lisa

On Jan 15, 2007, at 4:05 AM, Arnt Gulbrandsen wrote:

> Alexey Melnikov writes:
>> Simon Josefsson wrote:
>>> and TLS+CRAM-MD5
>>
>> This doesn't give anything over TLS+PLAIN and also doesn't support  
>> authorization identity.
>> I am against this choice.
>
> TLS+CRAM-MD5 doesn't reveal the user's secret to the server. A very  
> nice property if you're not 100% sure that you're talking to the  
> right server.
>
> Arnt

v2.23.0 | Report a Bug | By Email