RFC 2195 defines a simple challenge-response authentication mechanism based on an MD5 hash of a shared secret. Originally designed for use by IMAP, CRAM-MD5 was quickly incorporated into a number of protocols, and has since become one of the most widely deployed security mechanisms on the Internet.
Despite its popularity, CRAM-MD5 was never formally specified as a SASL mechanism. In 2003 the SASL WG undertook a work item to produce a formal CRAM-MD5 SASL mechanism definition. Progress on the document suffered from numerous delays: contention over normalization of UTF-8 strings, perceived flaws in MD5, and an IETF-wide bias against security mechanisms lacking integrity- and data-protection all served to stifle any useful progress.
Facing an absence of consensus and a lack of will to pursue what most WG members considered to be an obsolete (and insecure) mechanism, the WG decided in early 2009 to drop the CRAM-MD5 update from its task list. Instead, the WG will concentrate on developing a replacement mechanism that addresses CRAM-MD5's shortcomings.
| IMAP |
Internet Message Access Protocol - Version 4rev1,
M. Crispin. |
|---|---|
| RFC 2195 |
IMAP/POP AUTHorize Extension for Simple Challenge/Response,
J, Klensin, R. Catoe, and P. Krumviede. |
| SASL |
Simple Authentication and Security Layer (SASL),
A. Melnikov and K. Zeilenga. |
| SASL WG | IETF SASL Working Group. |