this is a german Web-Mirror of MHONARC.ORG powered by Domainunion AG

ietf-smtp
[Top] [All Lists]

Re: Requesting reviews: SMTP AUTH update, draft-siemborski-rfc2554bis-05.txt

2006-12-03 15:56:43

Alexey Melnikov wrote:

I would like to solicit some reviews of the 2554bis draft.

===
Use CRAM-MD5 as minimum, it's common practice if there's
anything at all between "LOGIN" and TLS PLAIN.  See also
https://en.wikipedia.org/wiki/CRAM-MD5 and
https://www.ietf.org/IESG/Implementations/CRAM-MD5_implem.txt

===
DIGEST-MD5 is far too complex for its minimal security
advantage.  As for the POP3 draft, if you like to talk
about DIGEST-MD5 please add _working_ examples in all
its confusing ugliness with up to ten (or was it eleven)
parameters in numerous valid and invalid constellations.

If you insist on DIGEST-MD5 as required add it to the
AUTH in your examples (same issue as in the POP draft).
If you use CRAM-MD5 as required add this to the AUTHs.

===
2554 says that the auth param is an <addr-spec>, but you
changed it to <mailbox>.  Please stick to <addr-spec>,
it's a huge difference.

===
What is the password in 2554 for fred, and what is it
in your draft for rjs3 ?  If I didn't screw up for fred 
it's not test, 1234, or tanstaaftanstaaf.  I guess I
hate anything "DIGEST-MD5" since the day when I found
out that the example in 2069 doesn't work.  

===
There's no normative or otherwise reference to RFC 2195
or 2195bis.  I miss a discussion of ESMTPA etc., and a
corresponding normative reference (RFC 3848).

Frank