[BXXPwg] SUMMARY: Why to use DIGEST-MD5 in syslog-reliable

Alexey Melnikov mel@messagingdirect.com
Sat, 16 Dec 2000 02:07:03 -0700


During IETF SYSLOG session on Wednesday the question was raised why
DIGEST-MD5 is the suggested SASL in syslog-reliable document (and BEEP
in general).

I'll try to summarize why DIGEST-MD5 was chosen as mandatory to
implement by several protocols.

Better than CRAM-MD5, because :
Allows client to authenticate server (mutual authentication).
Has integrity and privacy protection layer (the majority of other
mechanisms don't have that).
Uses message counters in hash calculation to prevent reply attack.
Authentication exchange includes authorization information.

Easier to deploy than GSSAPI (Kerberos, X.509) because it doesn't
require additional infrastructure (although it is not as secure as
GSSAPI).

Alexey