I-D ACTION:draft-leach-digest-sasl-00.txt (fwd)
Chris Newman <Chris.Newman@INNOSOFT.COM> Wed, 07 October 1998 01:21 UTC
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA11352 for ietf-sasl-bks; Tue, 6 Oct 1998 18:21:01 -0700 (PDT)
Received: from THOR.INNOSOFT.COM (SYSTEM@THOR.INNOSOFT.COM [192.160.253.66]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA11348 for <ietf-sasl@imc.org>; Tue, 6 Oct 1998 18:20:59 -0700 (PDT)
Received: from elwood.innosoft.com ([192.160.253.60]) by INNOSOFT.COM (PMDF V5.2-29 #30494) with SMTP id <01J2NRL81QMO94DZF4@INNOSOFT.COM> for ietf-sasl@imc.org; Tue, 6 Oct 1998 18:20:22 PDT
Date: Tue, 06 Oct 1998 18:21:12 -0700
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Subject: I-D ACTION:draft-leach-digest-sasl-00.txt (fwd)
Originator-info: login-id=chris; server=THOR.INNOSOFT.COM
To: ietf-sasl@imc.org
Message-id: <Pine.SOL.3.95.981006180312.17962U-100000@elwood.innosoft.com>
Content-id: <Pine.SOL.3.95.981006180312.17962V@elwood.innosoft.com>
MIME-version: 1.0
Content-type: MULTIPART/MIXED; BOUNDARY="-559023410-959030623-907723272=:17962"
Sender: owner-ietf-sasl@imc.org
Precedence: bulk
I'd like to ask people on the list to take a careful look at this internet draft. One of the nastier problems the IETF has faced is the choice of "mandatory-to-implement" authentication mechanism given that unencrypted clear-text passwords are no longer permitted (for good reason). I believe this is a better choice than CRAM-MD5. The main reason is that this brings HTTP into the set of protocols which can share the same mandatory-to-implement mechanism. There is also an attack against CRAM-MD5 (the password can be easily recovered if the client is tricked into connecting to a spoof server) which is a major concern for some implementors. It also adds integrity protection. This mechanism is crufty due to the desire to keep it backwards compatible with the HTTP digest draft. But I think the benefit outweighs the cruft (and the source code necessary to work around the nastiest cruft is included). Please take the time to read this over carefully. I consider it extremely important. If we get a sense of rough concensus for this mechanism, the following things are likely to happen: * LDAPv3 will adopt it as mandatory-to-implement * I will lobby for a recycle of the ACAP spec at proposed standard to change from CRAM-MD5 to this mechanism. * I will lobby for this as mandatory-to-implement in the NNTP AUTH draft. * Other political stuff moving towards making this an across-the-board replacement for unencrypted clear-text. - Chris ---------- Forwarded message ---------- Date: Mon, 05 Oct 1998 10:10:50 -0400 From: Internet-Drafts@ietf.org To: IETF-Announce: ; Subject: I-D ACTION:draft-leach-digest-sasl-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Using Digest Authentication as a SASL Mechanism Author(s) : P. Leach, C. Newman Filename : draft-leach-digest-sasl-00.txt Pages : 20 Date : 02-Oct-98 This specification defines how HTTP Digest Authentication [Digest] can be used as a SASL [RFC 2222] mechanism for any protocol that has a SASL profile. It is intended both as an improvement over CRAM-MD5 [RFC2195] and as a convenient way to support a single authentication mechanism for web, mail, LDAP, and other protocols. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-leach-digest-sasl-00.txt". A URL for the Internet-Draft is: ftp://ftp.ietf.org/internet-drafts/draft-leach-digest-sasl-00.txt Internet-Drafts directories are located at: Africa: ftp.is.co.za Europe: ftp.nordu.net ftp.nis.garr.it Pacific Rim: munnari.oz.au US East Coast: ftp.ietf.org US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-leach-digest-sasl-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
- I-D ACTION:draft-leach-digest-sasl-00.txt (fwd) Chris Newman