I-D ACTION:draft-leach-digest-sasl-00.txt (fwd)

[Chris Newman <Chris.Newman@INNOSOFT.COM>]

I'd like to ask people on the list to take a careful look at this internet
draft.

One of the nastier problems the IETF has faced is the choice of
"mandatory-to-implement" authentication mechanism given that unencrypted
clear-text passwords are no longer permitted (for good reason).

I believe this is a better choice than CRAM-MD5.  The main reason is that
this brings HTTP into the set of protocols which can share the same
mandatory-to-implement mechanism.  There is also an attack against
CRAM-MD5 (the password can be easily recovered if the client is tricked
into connecting to a spoof server) which is a major concern for some
implementors.  It also adds integrity protection. 

This mechanism is crufty due to the desire to keep it backwards compatible
with the HTTP digest draft.  But I think the benefit outweighs the cruft
(and the source code necessary to work around the nastiest cruft is
included).

Please take the time to read this over carefully.  I consider it extremely
important.

If we get a sense of rough concensus for this mechanism, the following
things are likely to happen:
* LDAPv3 will adopt it as mandatory-to-implement
* I will lobby for a recycle of the ACAP spec at proposed standard to
  change from CRAM-MD5 to this mechanism.
* I will lobby for this as mandatory-to-implement in the NNTP AUTH draft.
* Other political stuff moving towards making this an across-the-board
  replacement for unencrypted clear-text.

		- Chris

---------- Forwarded message ----------
Date: Mon, 05 Oct 1998 10:10:50 -0400
From: Internet-Drafts@ietf.org
To: IETF-Announce:  ;
Subject: I-D ACTION:draft-leach-digest-sasl-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title		: Using Digest Authentication as a SASL Mechanism
	Author(s)	: P. Leach, C. Newman
	Filename	: draft-leach-digest-sasl-00.txt
	Pages		: 20
	Date		: 02-Oct-98
	
       This specification defines how HTTP Digest Authentication [Digest] can
       be used as a SASL [RFC 2222] mechanism for any protocol that has a SASL
       profile. It is intended both as an improvement over CRAM-MD5 [RFC2195]
       and as a convenient way to support a single authentication mechanism for
       web, mail, LDAP, and other protocols.

Internet-Drafts are available by anonymous FTP.  Login with the username
"anonymous" and a password of your e-mail address.  After logging in,
type "cd internet-drafts" and then
	"get draft-leach-digest-sasl-00.txt".
A URL for the Internet-Draft is:
ftp://ftp.ietf.org/internet-drafts/draft-leach-digest-sasl-00.txt

Internet-Drafts directories are located at:

	Africa:	ftp.is.co.za
	
	Europe: ftp.nordu.net
		ftp.nis.garr.it
			
	Pacific Rim: munnari.oz.au
	
	US East Coast: ftp.ietf.org
	
	US West Coast: ftp.isi.edu

Internet-Drafts are also available by mail.

Send a message to:	mailserv@ietf.org.  In the body type:
	"FILE /internet-drafts/draft-leach-digest-sasl-00.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
		
		
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.