Alexey Melnikov wrote:
I would like to solicit some reviews of the 2554bis draft.
===
Use CRAM-MD5 as minimum, it's common practice if there's
anything at all between "LOGIN" and TLS PLAIN. See also
http://en.wikipedia.org/wiki/CRAM-MD5 and
http://www.ietf.org/IESG/Implementations/CRAM-MD5_implem.txt
===
DIGEST-MD5 is far too complex for its minimal security
advantage. As for the POP3 draft, if you like to talk
about DIGEST-MD5 please add _working_ examples in all
its confusing ugliness with up to ten (or was it eleven)
parameters in numerous valid and invalid constellations.
If you insist on DIGEST-MD5 as required add it to the
AUTH in your examples (same issue as in the POP draft).
If you use CRAM-MD5 as required add this to the AUTHs.
===
2554 says that the auth param is an <addr-spec>, but you
changed it to <mailbox>. Please stick to <addr-spec>,
it's a huge difference.
===
What is the password in 2554 for fred, and what is it
in your draft for rjs3 ? If I didn't screw up for fred
it's not test, 1234, or tanstaaftanstaaf. I guess I
hate anything "DIGEST-MD5" since the day when I found
out that the example in 2069 doesn't work.
===
There's no normative or otherwise reference to RFC 2195
or 2195bis. I miss a discussion of ESMTPA etc., and a
corresponding normative reference (RFC 3848).
Frank