IETF Logo Mail Archive

RE: "POP3 SASL Authentication Mechanism" submitted for publication

Lyndon Nerenberg <lyndon@orthanc.ca> Mon, 15 January 2007 20:28 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKSZXT072193 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:28:35 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FKSZwl072192; Mon, 15 Jan 2007 13:28:35 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from orthanc.ca (orthanc.ca [209.89.70.53]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FKSXmD072179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 15 Jan 2007 13:28:34 -0700 (MST) (envelope-from lyndon@orthanc.ca)
Received: from [2002:ccf4:e05d:2:212:3fff:fef3:4d8e] ([IPv6:2002:ccf4:e05d:2:212:3fff:fef3:4d8e]) (authenticated bits=0) by orthanc.ca (8.13.4/8.13.4) with ESMTP id l0FKS1B2022537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 13:28:01 -0700 (MST) (envelope-from lyndon@orthanc.ca)
Date: Mon, 15 Jan 2007 12:28:00 -0800
From: Lyndon Nerenberg <lyndon@orthanc.ca>
To: Paul Leach <paulle@windows.microsoft.com>
cc: Lisa Dusseault <lisa@osafoundation.org>, Arnt Gulbrandsen <arnt@oryx.com>, Alexey Melnikov <alexey.melnikov@isode.com>, robsiemb@google.com, Abhijit Menon-Sen <ams@oryx.com>, Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-pop3ext@imc.org, ietf-sasl@imc.org, Simon Josefsson <simon@josefsson.org>
Subject: RE: "POP3 SASL Authentication Mechanism" submitted for publication
In-Reply-To: <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
Message-ID: <20070115122513.Q1195@gollum.dev.gmi-mr.com>
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org> <87k5zpgz7o.fsf@latte.josefsson.org> <45AB6731.9090906@isode.com> <zS/BiUKvu0x5QwxFHJEDcg.md5@libertango.oryx.com> <B39CE7B7-98CF-4484-A31A-C175E53D9A74@osafoundation.org> <76323E9F0A911944A4E9225FACFC55BA0352C8B5@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
Organization: The Frobozz Magic Homing Pigeon Company
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, NO_RELAYS autolearn=ham version=3.1.7
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on orthanc.ca
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>

On Mon, 15 Jan 2007, Paul Leach wrote:

> I worry that having TLS+PLAIN be the MTI sends an implicit message that
> it is "good enough". I really think that all use of plain text
> passwords, even over an encrypted tunnel to a trusted party, should be
> discouraged. (At the very least, a stern passage in the security
> considerations section is needed.) It is well known that users use the
> same password on many different servers, so TLS+PLAIN lets any such
> server act as the user to any other server.

I strongly agree with this.  In many corporate environments this sort of 
password re-use is enforced behaviour, mandated by corporate "security" 
policy.  Strange, but true.


--lyndon

   Never look at the trombones. You'll only encourage them.
   			-- Robert Strauss, on conducting

v2.23.0 | Report a Bug | By Email