Re: [exim] Exim4 + fixed_cram

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: Phil Pennock, exim-users@exim.org
Subject: Re: [exim] Exim4 + fixed_cram
Phil Pennock wrote, on 23/01/14 08:55:
> CA, or an end-user behaving like an end-user and clicking through some
> dialogue box complaining of a cert mismatch, will result in disclosure
> of the persistent bearer credential that is a password.


You can't protect this type of end-user anyway. Neither with SCRAM nor any
other technical measure. They will "loose" their credentials on the first
phishing attempt or trojan in reach.

> After SCRAM, supported by Exim with GSASL (and enable the
> Exim server_channelbinding option) I push for GSSAPI (in more structured
> environments), DIGEST-MD5 (which provides mutual authentication without
> the channel-binding protection), and CRAM-MD5.


And why are there drafts for moving CRAM-MD5 and DIGEST-MD5 to historic then?
http://tools.ietf.org/html/draft-ietf-kitten-digest-to-historic-04
http://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00

Both documents let me think, that recommending those mechs is not an optimal
choice.

SCRAM would be an option if a suiting implementation for an existing
installation would exist. But SCRAM was not the topic of the OP.

> PLAIN auth is a disservice to your users;


Well, I think you blame the wrong person here.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria