Sorry, as usual, you're right - I trusted the numbers someone told me without actually checking :)
Larry Osterman -----Original Message----- From: Alexey Melnikov [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 7:52 AM To: Larry Osterman Cc: [EMAIL PROTECTED] Subject: Re: Outlook express AUTH command Larry Osterman wrote: > SPNEGO is RFC2831, if it helps :) RFC2831 is DIGEST-MD5. > Larry Osterman > > -----Original Message----- > From: Marek Kowal [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 28, 2002 2:15 AM > To: '[EMAIL PROTECTED]' > Subject: RE: Outlook express AUTH command > > Whaw. I never expected to start such a discussion on this list. And > almost completely OFF-topic, I must admit. > > Guys, I did not ask question: do you think that MS is right not to > publish RFC for NTLM. In fact, I do not care. What I care, are > customers of our POP3/WebMail service - and their exact number has > SEVEN digits - who mostly > use OutlookExpress or Outlook and who connect to our mailboxes. I hoped > my > question was clear, but I'll rewrite it a bit: > > What authorization method can I implement on my servers (installing > Exchange or any Win2k service is out of question), which will allow us > to securely > authenticate our users and which will not use SSL? SSL is quite > "expensive", > we would have to significantly increase our hardware base. And anyway, I > am > not interested in encrypting mail contents - I just want to keep > passwords > secure. > > Still, I've read all that discussions and attacks (mostly on Larry, as > if his name was Larry Gates, not Larry Osterman) and managed to find > two > clues: > one is SPNEGO and the other DIGEST. So I have four questions (and I > mean to get answers on them, not the philosophical points of view, > please): > 1) which OE clients do support it? Does OE5.0 do? Or only OE6.0, which > - at that point - is not really wide spread? > 2) Can somebody point me to any resources on SPNEGO/DIGEST? I know, 45 > secs. > on MSDN would do, but I believe experts on this list will know much > better > what is really worth reading. > 3) Is anybody implementing (has already implemented) any of those in > Unix > world. Can it be done outside Windows platform, or the RFC will not be > published and this is again some proprietary thing? > 4) What POP3 CAPA (or IMAP4 CAPABILITY) AUTH=XXX response should be > presented to client, so that it starts negotiating DIGEST? AUTH=DIGEST? > This > would allow me quickly to check, which clients will try to negotiate it, > event without actually implementing it. > > There is also another one, this might be more to your liking: is > SPNEGO/DIGEST really good/secure? Why is it better/worse than > CRAM-MD5? Frankly, I'd love to have first four questions answered > before we start discussion on that one. > > Cheers, > Marek. > > > -----Original Message----- > > From: Marek Kowal [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 27, 2002 6:57 PM > > To: '[EMAIL PROTECTED]' > > Subject: Outlook express AUTH command > > > > > > Hi there, > > > > This is not really IMAP related question, but: > > > > Does anybody know, what AUTH modes are supported by Outlook Express? > > I've just heard that APOP or CRAM-MD5 is not supported. Only LOGIN > > is, and this > > is not real password protection, since this is just BASE64 > > login/password > > encryption and anyone can decrypt them. So how can I connect > > securely to > > server with OE, except for SSL? > > > > BTW, will UW-IMAP support NTLM authentication? Is there any Open > > Source server, that does? > > > > Cheers, > > Marek. > > -- > > ----------------------------------------------------------------- > > For information about this mailing list, and its archives, see: > > http://www.washington.edu/imap/imap-list.html > > ----------------------------------------------------------------- > > -- Alexey Melnikov __________________________________________ R & D, ACI Worldwide/MessagingDirect Richmond, Surrey, UK Phone: +44 20 8332 4508 I speak for myself only, not for my employer. __________________________________________
