On Wed, 29 May 2002, Lawrence Greenfield wrote: > Our local site policy doesn't offer DIGEST-MD5---but > that isn't what we're talking about.
The point seems to be interoperability between compliant implementations. A client which only implements DIGEST-MD5 is not able to talk to your server. I think that we can require SSL/TLS + plaintext and for the most part reflect the world that exists today. I don't think that we can require DIGEST-MD5 and reflect the world that exists today; nor do I think that an implementor would be well-served by a document that implies that a viable product can be produced that only implements DIGEST-MD5. This argument would actually suggest against removing the requirement for CRAM-MD5 in my proposal and going only with SSL/TLS + plaintext. Perhaps that's the best thing to do. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate.
