On Wed, 29 May 2002, Chris Newman wrote: > I believe there are two viable choices for mandatory to implement: > > (1) Require implementation of STARTTLS (making the most common RSA+RC4 > cipher suite mandatory would be most realistic) and use it with the LOGIN > command (or PLAIN SASL if you wish).
This is the choice that I would prefer. > (2) Require implementation of DIGEST-MD5. > This is not as widely deployed AFAIK it is completely undeployed in the IMAP world. I took a look at DIGEST-MD5 and was horrified. It is NOT a simple mechanism to implement. There is quite a bit about it which requires careful consideration to get right (think buffer overflow exploits). All those optional and variable-length fields are a major pain, and quoted strings make it a further nightmare. IMHO, it is premature to make DIGEST-MD5 mandatory now, but it's alright to say SHOULD in order to get people moving in that direction. > Both options have open-source code available and many existing IMAP servers > already comply. Perhaps there are IMAP servers which have it, but I haven't seen any; and I know of no clients which have it. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate.
