> On Wed, 29 May 2002 [EMAIL PROTECTED] wrote:
> > You're missing one from the list: SSL and LOGIN (or PLAIN). This likely would
> > be acceptable. I believe the IESG could be convinced this is the way to go.
> > Perhaps this would be more acceptable as a mandatory to implement: It certainly
> > avoids all the authentication source issues.
> >
> > Still another option is to go with more than one mandatory to implement. You
> > could say that all clients must do SSL+LOGIN and DIGEST-MD5 while servers can
> > choose between the two. (I don't know if this helps, but I thought I should
> > mention it.)
> OK, this is helpful and may be the breakthrough that was needed.
> How about the following:
> A "plaintext authentication mechanism" is one of the following:
> . the PLAIN SASL mechanism
> . the legacy LOGIN command
> All clients MUST implement all the following:
> . plaintext authentication mechanism after STARTTLS
> . plaintext authentication mechanism in SSL IMAP (port 993)
> . CRAM-MD5
> Clients SHOULD implement the following:
> . DIGEST-MD5
> . Kerberos
> All servers MUST implement at least one of the following:
> . plaintext authentication mechanism after STARTTLS
> . CRAM-MD5
> Servers SHOULD implement the following:
> . plaintext authentication mechanism in SSL IMAP (port 993)
> . DIGEST-MD5
> . Kerberos
A plan of this sort seems quite reasonable to me. The specifics, of course,
are up to the group.
Ned
