SPNEGO is RFC2831, if it helps :) Larry Osterman
-----Original Message----- From: Marek Kowal [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:15 AM To: '[EMAIL PROTECTED]' Subject: RE: Outlook express AUTH command Whaw. I never expected to start such a discussion on this list. And almost completely OFF-topic, I must admit. Guys, I did not ask question: do you think that MS is right not to publish RFC for NTLM. In fact, I do not care. What I care, are customers of our POP3/WebMail service - and their exact number has SEVEN digits - who mostly use OutlookExpress or Outlook and who connect to our mailboxes. I hoped my question was clear, but I'll rewrite it a bit: What authorization method can I implement on my servers (installing Exchange or any Win2k service is out of question), which will allow us to securely authenticate our users and which will not use SSL? SSL is quite "expensive", we would have to significantly increase our hardware base. And anyway, I am not interested in encrypting mail contents - I just want to keep passwords secure. Still, I've read all that discussions and attacks (mostly on Larry, as if his name was Larry Gates, not Larry Osterman) and managed to find two clues: one is SPNEGO and the other DIGEST. So I have four questions (and I mean to get answers on them, not the philosophical points of view, please): 1) which OE clients do support it? Does OE5.0 do? Or only OE6.0, which - at that point - is not really wide spread? 2) Can somebody point me to any resources on SPNEGO/DIGEST? I know, 45 secs. on MSDN would do, but I believe experts on this list will know much better what is really worth reading. 3) Is anybody implementing (has already implemented) any of those in Unix world. Can it be done outside Windows platform, or the RFC will not be published and this is again some proprietary thing? 4) What POP3 CAPA (or IMAP4 CAPABILITY) AUTH=XXX response should be presented to client, so that it starts negotiating DIGEST? AUTH=DIGEST? This would allow me quickly to check, which clients will try to negotiate it, event without actually implementing it. There is also another one, this might be more to your liking: is SPNEGO/DIGEST really good/secure? Why is it better/worse than CRAM-MD5? Frankly, I'd love to have first four questions answered before we start discussion on that one. Cheers, Marek. > -----Original Message----- > From: Marek Kowal [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 27, 2002 6:57 PM > To: '[EMAIL PROTECTED]' > Subject: Outlook express AUTH command > > > Hi there, > > This is not really IMAP related question, but: > > Does anybody know, what AUTH modes are supported by Outlook > Express? I've > just heard that APOP or CRAM-MD5 is not supported. Only LOGIN > is, and this > is not real password protection, since this is just BASE64 > login/password > encryption and anyone can decrypt them. So how can I connect > securely to > server with OE, except for SSL? > > BTW, will UW-IMAP support NTLM authentication? Is there any > Open Source > server, that does? > > Cheers, > Marek. > -- > ----------------------------------------------------------------- > For information about this mailing list, and its archives, see: > http://www.washington.edu/imap/imap-list.html > ----------------------------------------------------------------- >
