At 10:43 PM 6/9/2005, Frank Ellermann wrote:
And if they don't like CRAM-MD5 what they'll get is LOGIN or
PLAIN _without_ TLS, sigh.
I disagree with this statement. Today, many email client
and server supports TLS, and does so independently of what
SASL mechanisms they may or may not support. I think most
users and administrators will enable that TLS support if a
plain text password mechanism is chosen. And, if that's
the RECOMMENDED default, I doubt many users and administrators
will disable TLS without some considerations of th
security implications of their choice.
I think the best option for this protocol, given issues
raised by Simon regarding DIGEST-MD5, is TLS+PLAIN.
Kurt
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf