IETF Logo Mail Archive

RE: "POP3 SASL Authentication Mechanism" submitted for publication

"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Mon, 15 January 2007 20:47 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKlR8r075769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:47:27 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FKlRoj075768; Mon, 15 Jan 2007 13:47:27 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from boole.openldap.org (boole.openldap.org [204.152.186.50]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKlPd0075734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:47:26 -0700 (MST) (envelope-from Kurt@OpenLDAP.org)
Received: from gypsy.OpenLDAP.org (71-80-218-136.dhcp.crcy.nv.charter.com [71.80.218.136] (may be forged)) (authenticated bits=0) by boole.openldap.org (8.13.8/8.13.8) with ESMTP id l0FKl0Vt054215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 20:47:01 GMT (envelope-from Kurt@OpenLDAP.org)
Message-Id: <200701152047.l0FKl0Vt054215@boole.openldap.org>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 15 Jan 2007 12:46:40 -0800
To: Paul Leach <paulle@windows.microsoft.com>
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
Cc: Lisa Dusseault <lisa@osafoundation.org>, Arnt Gulbrandsen <arnt@oryx.com>, Alexey Melnikov <alexey.melnikov@isode.com>, robsiemb@google.com, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-pop3ext@imc.org, ietf-sasl@imc.org, Simon Josefsson <simon@josefsson.org>
In-Reply-To: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingro up.windeploy.ntdev.microsoft.com>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org> <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

At 12:02 PM 1/15/2007, Paul Leach wrote:
>Since DIGEST-MD5 was the MTI for SASL in LDAP, I don't quite get the
>complaints about implementability -- plenty of people did it as a
>result. 

Was but is no longer LDAP's "strong" authentication method.
LDAP's current "strong" authentication method is currently
TLS-protected simple DN/password.  LDAPbis concluded DIGEST-MD5
interoperability, especially in regards to security layers,
just wasn't there.  I don't think any of LDAPbis's concerns
about DIGEST-MD5 were specific to LDAP.

>I really think that all use of plain text passwords, even over an
>encrypted tunnel to a trusted party, should be discouraged. (At
>the very least, a stern passage in the security considerations section is needed.)

I concur.

-- Kurt

v2.23.0 | Report a Bug | By Email