> On Thu, 30 May 2002 05:36:44 -0600, Alexey Melnikov wrote: > > I like CRAM-MD5 as MUST (for interoperability), DIGEST-MD5 as > > SHOULD and cleartext + TLS as MUST. > > So basically this is your original proposal without Kerberos and Port 993. > > This is fine with me.
If the requirement is strictly for the "can interoperate" checkbox then that list should contain only CRAM-MD5. I'm firmly against mandating code bloat and complexity solely for political reasons. And really, *requiring* that something like a very lightweight "check-for-new-mail" type client implement TLS when it will never be used (by the target market for the client) is just silly. We only need one non-plaintext mechanism to satisfy the IESG. CRAM-MD5 fits the requirement, is widely deployed, is known to interoperate, and has several independent publically-available implementations. Whether Microsoft wants to (or is able to) implement it is their problem, not ours. --lyndon
