On Wed, 29 May 2002 [EMAIL PROTECTED] wrote: > You're missing one from the list: SSL and LOGIN (or PLAIN). This likely would > be acceptable. I believe the IESG could be convinced this is the way to go. > Perhaps this would be more acceptable as a mandatory to implement: It certainly > avoids all the authentication source issues. > > Still another option is to go with more than one mandatory to implement. You > could say that all clients must do SSL+LOGIN and DIGEST-MD5 while servers can > choose between the two. (I don't know if this helps, but I thought I should > mention it.)
OK, this is helpful and may be the breakthrough that was needed. How about the following: A "plaintext authentication mechanism" is one of the following: . the PLAIN SASL mechanism . the legacy LOGIN command All clients MUST implement all the following: . plaintext authentication mechanism after STARTTLS . plaintext authentication mechanism in SSL IMAP (port 993) . CRAM-MD5 Clients SHOULD implement the following: . DIGEST-MD5 . Kerberos All servers MUST implement at least one of the following: . plaintext authentication mechanism after STARTTLS . CRAM-MD5 Servers SHOULD implement the following: . plaintext authentication mechanism in SSL IMAP (port 993) . DIGEST-MD5 . Kerberos This matches current reality. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate.
