Trying to eat my own dog food, I drew this one... - I guess this could be updated to say "don't offer an MSA that ever allows for cleartext submission" but UTA will probably get to that.
- Section 4 does actually mention privacy which is good! - I also generally dislike how MUAs ask for both username and password before they do MSA discovery - I always worry that the MUA is liable to be sending those to the n/w insecurely, so maybe a BCP could suggest something there. - Not sure if RFC4954 is still something we'd recommend (but I didn't read it, so maybe it is), seems like TLS is the right thing today for this. _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
