Kurt D. Zeilenga wrote: > Let me repeat using different words which Howard and others have > already explained to you. > > Password-based mechanisms require the client to knowledge of > the actual password. That password is either provided by a > human or read from a password store. I know this gets OT but shouldn't that read:
challenge-response based mechanisms (such as CRAM-MD5, DIGEST-MD5) require the cleartext password to be stored on client and server? It is my understanding you can have cleartext passwords on the wire (sasl PLAIN, LOGIN, simple_bind,...) and store hashes on the server side *OR* secure exchange of credentials with challenge-response mechanisms (*-MD5) which require cleartext passwords on both sides. You cannot have both. cheers Paul
