[NNTP] AUTHINFO diffs (take 2)
Ken Murchison
ken at oceana.com
Thu Jun 9 11:20:26 PDT 2005
Russ Allbery wrote:
>
> The only remaining concern that I have is that recent IETF traffic and
> comments from Sam Hartman lead me to wonder if CRAM-MD5 is something that
> we shouldn't be mentioning. Apparently, it's vulnerable to MITM attacks
> and doesn't really make the security community happy.
>
> Our only references to it are as an example of another auth mechanism, as
> near as I can tell. Maybe we should use GSSAPI for that example instead
> of CRAM-MD5?
>
> It's not a big deal since it's just an example and an informative
> reference, but I don't know if it might be better to be safe.
The only problem is that CRAM-MD5 is the only mainstream SASL mechanism
which doesn't support an initial response, so unless I make something
up, we're stuck with it. We're not endorsing or recommending its use,
so I think we're safe.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list