Marek Kowal wrote: > Whaw. I never expected to start such a discussion on this list. And almost > completely OFF-topic, I must admit. > > Guys, I did not ask question: do you think that MS is right not to publish > RFC for NTLM. In fact, I do not care. What I care, are customers of our > POP3/WebMail service - and their exact number has SEVEN digits - who mostly > use OutlookExpress or Outlook and who connect to our mailboxes. I hoped my > question was clear, but I'll rewrite it a bit: > > What authorization method can I implement on my servers (installing Exchange > or any Win2k service is out of question), which will allow us to securely > authenticate our users and which will not use SSL? SSL is quite "expensive", > we would have to significantly increase our hardware base. And anyway, I am > not interested in encrypting mail contents - I just want to keep passwords > secure. > > Still, I've read all that discussions and attacks (mostly on Larry, as if > his name was Larry Gates, not Larry Osterman) and managed to find two clues: > one is SPNEGO and the other DIGEST. So I have four questions (and I mean to > get answers on them, not the philosophical points of view, please): > 1) which OE clients do support it? Does OE5.0 do? Or only OE6.0, which - at > that point - is not really wide spread?
Can somebody answer this question? > 2) Can somebody point me to any resources on SPNEGO/DIGEST? I know, 45 secs. > on MSDN would do, but I believe experts on this list will know much better > what is really worth reading. GSSAPI SPENEGO: RFC 2222 or even better draft-ietf-cat-sasl-gssapi-05.txt, as the former is underspecified. DIGEST-MD5: RFC 2831. > 3) Is anybody implementing (has already implemented) any of those in Unix > world. Can it be done outside Windows platform, or the RFC will not be > published and this is again some proprietary thing? RFCs exist, there are multiple implementations on different platforms. In particular the one from CMU. > 4) What POP3 CAPA (or IMAP4 CAPABILITY) AUTH=XXX response should be > presented to client, so that it starts negotiating DIGEST? AUTH=DIGEST? This > would allow me quickly to check, which clients will try to negotiate it, > event without actually implementing it. DIGEST-MD5 as per RFC 2831. > There is also another one, this might be more to your liking: is > SPNEGO/DIGEST really good/secure? Why is it better/worse than CRAM-MD5? CRAM-MD5 doesn't do mutual authentication, also it doesn't protect from reply attacks. For more information see the RFCs above. > Frankly, I'd love to have first four questions answered before we start > discussion on that one. Should we move this discussion to SASL mailing list? Alexey Melnikov __________________________________________ R & D, ACI Worldwide/MessagingDirect Richmond, Surrey, UK Phone: +44 20 8332 4508 I speak for myself only, not for my employer. __________________________________________
