On Sun, 14 May 2006, John W. Baxter wrote:
>
> We offer all of SPA, CRAM-MD5, PLAIN, and LOGIN. Given that choice,
> Eudora and Thunderbird (at least) will use CRAM (just now verified for
> Thunderbird).
>
> We concluded--probably erroneously--when adding SPA to the list that Outlook
> Express would not use SPA unless it was advertised prior to the plain text
> alternatives.
!
> And because of the need for plain text passwords for CRAM, I would be
> dubious about including it in the default configuration other than as a
> comment pointing out its existence and that restriction and pointing to its
> place in the manual.
Does SPA also require plaintext passwords on the server? Hmm, the docs say
yes.
When I went to the IETF meeting in Paris last year, there was some
discussion about the security of CRAM-MD5 versus plaintext passwords over
TLS, and the consensus was that the latter is better - I didn't understand
the detail of the attacks against CRAM-MD5, but they were more serious
than just plaintext passwords on the server, and might even have been as
bad as offline brute-force atacks. I think I would only use it if I
couldn't justify the cost of a TLS certificate.
The right thing for the default configuration file is to make it easy to
implement the well-established consensus, which AFAICT for authentication
is TLS+PLAIN (+LOGIN).
I think that once a user understands enough to implement these, SPA should
be simple, and since it's non-standard I'm disinclined to add it to the
default configuration and let people who need it read the spec.
One final note: I propose to change src/EDITME to enable the plaintext
authenticator by default.
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}