Re: Last Call: draft-siemborski-rfc2554bis (SMTP Service Extension for Authentication) to Proposed Standard
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: draft-siemborski-rfc2554bis (SMTP Service Extension for Authentication) to Proposed Standard

Hi Philip, thanks for the review. But are we looking at the same version of this doc? We dealt with this after doing a pseudo-WG-last- call on the SMTP mailing list and the -07 draft now has:

          To ensure interoperability, client and server implementations
          of this extension MUST implement the [PLAIN] SASL mechanism.

Note: a server implementation MUST implement a configuration
in which it does NOT permit any plaintext password mechanisms,
unless either the STARTTLS [SMTP-TLS] command has been
negotiated or some other mechanism that protects the session
from password snooping has been provided. Server sites SHOULD
NOT use any configuration which permits a plaintext password
mechanism without such a protection mechanism against password
snooping.

Lisa


On Jan 24, 2007, at 7:15 PM, Philip Guenther wrote:

On Wed, 24 Jan 2007, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:

- 'SMTP Service Extension for Authentication '
  <draft-siemborski-rfc2554bis-07.txt> as a Proposed Standard


draft-siemborski-rfc2554bis does not appear to contain any text similar to the last paragraph of section 4 in the rfc1734bis draft, requiring servers to support a configuration that does not permit passive password snooping.

I disagree with the choice of DIGEST-MD5 as the mandatory-to- implement mechanism. Given that many of the other protocols likely to be used by an SMTP client, such as POP3, IMAP4rev1, and LDAP, have chosen to specify "TLS followed by a cleartext password authentication" as their MtI authentication method, specifying DIGEST-MD5 here seems like a needless difference. I see no reason to believe DIGEST-MD5 will be more deployable in SMTP/submission servers than in IMAP, POP3, or LDAP servers.


Philip Guenther

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf



Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.