Oh. I somehow read that Dan favored APOP. On Fri, Feb 25, 2005, Paul J Stevens <[EMAIL PROTECTED]> said:
> I guess we all agree then: no apop for ldap-based authentication. > > Aaron Stone wrote: >> On Thu, Feb 24, 2005, Dan Weber <[EMAIL PROTECTED]> said: >> >>>I'd suggest instead of APOP, use POP3 over SSL. Storing passwords in >>>plaintext shouldn't be done in any context. Seriously. >> >> Doesn't work if we don't have control of the hashing type, as with LDAP. >> Plus, APOP only handles the authentication, not the data flow. Plenty of >> people would like to secure their entire session and not just the login >> handshake.
