> I understand why you want to stuff this in at the TLS layer, but
> realistically you have to change the IMAP, POP, FTP and other implementations
> to use client certs anyway, so again, why not do it right? I don't see any
> point in designing something that isn't a complete solution to account for
> existing implementations that don't exist! :)
You may be underestimating the amount of support for client certificates and
AUTH EXTERNAL here, in the case of IMAP at least. I believe Dovecot, Cyrus,
Courier, and Openwave all support them. Oracle's IMAP server definitely does.
On the client side, I believe both Thunderbird and Outlook support client
certificates. The state of play in the mobile space appears to be more
problematic - Apple's client reportedly doesn't support client certificates.
Dunno about Android clients.
FWIW.
Ned
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
