Phil Pennock wrote, on 23/01/14 08:55:
> CA, or an end-user behaving like an end-user and clicking through some
> dialogue box complaining of a cert mismatch, will result in disclosure
> of the persistent bearer credential that is a password.
You can't protect this type of end-user anyway. Neither with SCRAM nor any
other technical measure. They will "loose" their credentials on the first
phishing attempt or trojan in reach.
> After SCRAM, supported by Exim with GSASL (and enable the
> Exim server_channelbinding option) I push for GSSAPI (in more structured
> environments), DIGEST-MD5 (which provides mutual authentication without
> the channel-binding protection), and CRAM-MD5.
And why are there drafts for moving CRAM-MD5 and DIGEST-MD5 to historic then?
http://tools.ietf.org/html/draft-ietf-kitten-digest-to-historic-04
http://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00
Both documents let me think, that recommending those mechs is not an optimal
choice.
SCRAM would be an option if a suiting implementation for an existing
installation would exist. But SCRAM was not the topic of the OP.
> PLAIN auth is a disservice to your users;
Well, I think you blame the wrong person here.
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> |
http://www.blafasel.at/
Vienna University Computer Center | Austria
