Peter Saint-Andre wrote:
Back in August I emailed about this issue [1] with the IETF area
directors for applications and security, relevant WG chairs, and
interested others. The conclusion was that in rfc3920bis we would make
the following changes to the mandatory-to-implement technologies:
1. Remove DIGEST-MD5
I strongly disagree. Restrained (Web) clients can't implement TLS over
TCP/IP. So without DIGEST-MD5 the passwords would end up being
transmitted in the clear!
Even where TLS is available, SASL PLAIN requires server operators to
keep copies of all users' passwords. This is a serious (and often
unnecessary) security weakness.
TLS + DIGEST-MD5 is stronger than TLS + SASL PLAIN
2. Add TLS + SASL PLAIN
I agree.
- Ian