--On Friday, August 06, 2010 09:18:18 AM -0700
NED+mta-filters(_at_)mauve(_dot_)mrochek(_dot_)com wrote:
RFC 5804 says:
> To ensure interoperability, both client and server implementations of
> the ManageSieve protocol MUST implement the SCRAM-SHA-1 [SCRAM] SASL
> mechanism, as well as [PLAIN] over [TLS].
How can this be a requirement, when SCRAM requires passwords to be
stored either as plaintext or in a special SCRAM format? Very few
existing installations would be able to easily start supporting SCRAM.
(Or is this just a tricky way of saying that server code must be able to
support it, but admins can choose if it's actually enabled?)
I don't think it's especially tricky. The text clearly says "implement"
and implement != use.
It's not tricky at all. The goal, as always, is to insure that you can
pick arbitrary combinations of clients and servers off the shelf and be
assured of being able to deploy them in a way that is both secure and
interoperable. This is particularly important when the operator of a
server doesn't have control over the clients, which is most of the time.
_______________________________________________
sieve mailing list
sieve(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/sieve