Phil Pennock wrote, on 23/01/14 08:55: > CA, or an end-user behaving like an end-user and clicking through some > dialogue box complaining of a cert mismatch, will result in disclosure > of the persistent bearer credential that is a password.
You can't protect this type of end-user anyway. Neither with SCRAM nor any other technical measure. They will "loose" their credentials on the first phishing attempt or trojan in reach. > After SCRAM, supported by Exim with GSASL (and enable the > Exim server_channelbinding option) I push for GSSAPI (in more structured > environments), DIGEST-MD5 (which provides mutual authentication without > the channel-binding protection), and CRAM-MD5. And why are there drafts for moving CRAM-MD5 and DIGEST-MD5 to historic then? http://tools.ietf.org/html/draft-ietf-kitten-digest-to-historic-04 http://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 Both documents let me think, that recommending those mechs is not an optimal choice. SCRAM would be an option if a suiting implementation for an existing installation would exist. But SCRAM was not the topic of the OP. > PLAIN auth is a disservice to your users; Well, I think you blame the wrong person here. Greetings, Wolfgang -- Wolfgang Breyha <[email protected]> | http://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
