At 01:36 PM 9/7/2006, John C Klensin wrote:
>Actually, that topic opens up one of the fundamental issues with
>our standards process ... one where better definition and clear
>community consensus is, IMO, needed. Measured by our documented
>criteria, 2195 exists in multiple independent implementations,
>has been widely deployed, and is considered useful by many of
>those who are using it.
In addition to security concerns, it must be stated that
implementations of RFC 2195 suffer from interoperability
problems due to its failure to specify a character set/encoding
and normalization/preparation algorithm for the password string.
The WG decided it was better to document current implementations
of CRAM-MD5 than to rework CRAM-MD5 to address these and other
issues, and to do so on the Informational track.
If you have something new to add to the discussion of revision
approach taken within the SASL WG, you (and others) are welcomed
to comment on the SASL WG list. The document will be in WG Last
-- Kurt, SASL WG co-chair
Ietf mailing list