During IETF SYSLOG session on Wednesday the question was raised why DIGEST-MD5 is the suggested SASL in syslog-reliable document (and BEEP in general). I'll try to summarize why DIGEST-MD5 was chosen as mandatory to implement by several protocols. Better than CRAM-MD5, because : Allows client to authenticate server (mutual authentication). Has integrity and privacy protection layer (the majority of other mechanisms don't have that). Uses message counters in hash calculation to prevent reply attack. Authentication exchange includes authorization information. Easier to deploy than GSSAPI (Kerberos, X.509) because it doesn't require additional infrastructure (although it is not as secure as GSSAPI). Alexey
