Digest Authentication over TLS

[Frank Siebenlist <frank@dascom.com>]

Now that a compromise is almost reached about the authentication methods, it's maybe a good time to stir things up a bit ;-)

If Digest/SASL is to be the Mandatory-to-Implement non-plaintext password mechanism, why do we need any plaintext password mechanism at all?

Guess that most will agree that it's not a good idea to send out passwords at all, even if they are encrypted going through the SSL channel. 

The idea is to use the same Digest Authentication scheme instead of plaintext passwords over TLS as the more secure, heavy-weight authentication scheme.

Furthermore, if there is that mandatory Digest/SASL implementation, with all its algorithms and password-file equivalent table of hashed user info, then the additional implementation of a table with plain-text passwords does seem double work and maintenance. 
Especially when you will allow users to come in through both mechanisms. How are these accounts and passwords synchronized?

Believe we would need an additional SASL mechanism for Digest-TLS/SASL.

Is it too late to consider this option?

-Frank.

-- 
Frank Siebenlist              DASCOM, Inc. 
Chief Architect               3004 Mission Street
Email: frank@dascom.com       Santa Cruz, CA 95060, USA
Phone: +1 831/460-3600        Fax: +1 831/460-0255