On Fri, 17 Jun 2005, David B Funk wrote:
secure authentication negotiation and secure password negotiation are NOT necessarily the same thing. For example, a system using GSSAPI (with Kerberos-V) does not have to deal with passwords at all.
Correct.
If the authentication method is secure then you don't have to encrypt the whole session (unless you care about protecting the privacy of your client's e-mail reading from eavesdroppers ;).
Not quite correct. There is another risk to not encrypting; the session can be seized and taken over ("hijacked") as well as being eavesdropped. There are hacker tools to do this.
-- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
