-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Peacock wrote: > Yeah, not having any simple way to test it makes it kind of hard to > implement... ;-)
My initial testing has been done using swaks with Authen::Digest::MD5. Mostly seems to work. > Why? Is there any evidence that CRAM-MD5 is insecure when used for > ESMTP AUTH? Just because TBird wants to support DIGEST-MD5, doesn't > mean we should leap to supporting it immediately. AFAIK, the following > quote from: No evidence it's insecure. It is not so much insecurity as the potential for increased security that has perked my interest. >> In practice [CRAM-MD5 is] the only allowed and supported >> SASL-mechanism for ESMTPA without Transport Layer Security (TLS). We'd run it within TLS (as we do CRAM-MD5 now). But if I can also quote the RFC: "Also, compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext attacks, and permits the use of third party authentication servers, mutual authentication, and optimized reauthentication if a client has recently authenticated to a server." > Reading through RFC-2831, it is clear that DIGEST-MD5 has a much more > complicated implementation than CRAM-MD5, but it still requires the > password be maintained in cleartext on the server side AFAICT. Agreed - hence my email - I started hacking something and then decided to ask before I duplicated what looks to be a painful road. The password is encoded but yes essentially plaintext. The server security doesn't bother me so much - locked down fairly tight. It's the transaction that does. Particularly in our SSO environment where that password might exist for multiple applications of varying risk levels. If it's not feasible (and it looks fairly tricky) and no one else has an interest I'll not devote too many tuits to it. I have plenty of other projects to undertake. But thought I'd ask the question. Regards James Turnbull - -- James Turnbull <[EMAIL PROTECTED]> - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/1590594444/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFmoZw9hTGvAxC30ARAvdtAJ9G6zQoZLc60uIAOBDPcHmZck6NTACfUOwy ghALa2qfpaXKS2t2q5+3wgs= =g3qf -----END PGP SIGNATURE-----
