On Wed, 24 Jan 2007, The IESG wrote:
The IESG has received a request from an individual submitter to consider
the following document:
- 'SMTP Service Extension for Authentication '
<draft-siemborski-rfc2554bis-07.txt> as a Proposed Standard
draft-siemborski-rfc2554bis does not appear to contain any text similar to
the last paragraph of section 4 in the rfc1734bis draft, requiring servers
to support a configuration that does not permit passive password snooping.
I disagree with the choice of DIGEST-MD5 as the mandatory-to-implement
mechanism. Given that many of the other protocols likely to be used by an
SMTP client, such as POP3, IMAP4rev1, and LDAP, have chosen to specify
"TLS followed by a cleartext password authentication" as their MtI
authentication method, specifying DIGEST-MD5 here seems like a needless
difference. I see no reason to believe DIGEST-MD5 will be more deployable
in SMTP/submission servers than in IMAP, POP3, or LDAP servers.
Philip Guenther
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf