On Thu, 6 Jun 2002, David Harris wrote: > This section, and a reading of IMAP-TLS, appears to be saying that an > IMAP implementation can only be considered compliant if it implements > SSL (sorry for the old terminology - I'm using it to be specific).
Hi David - Your fears are correct. IESG is forcing us to do this. There are other options, but the other options are worse. For example, CRAM-MD5 and its modern-day successor DIGEST-MD5 are unimplementable on servers which use a non-plaintext-equivalent password store. The UNIX password store is such a store, and I think that the NT password store also gives you no access to plaintext. Anyway, you must have access to the password in plaintext or plaintext equivalent to implement the MD5 stuff. STARTTLS was the lessor of two evils. Fortunately for Windows developers, Microsoft has solved the problem for us. Modern versions of Windows have SSL and TLS support in SSPI. Take a look at my IMAP toolkit, ftp://ftp.cac.washington.edu/mail/imap.tar.Z paying particular attention to files: imap-2001a/src/osdep/nt/ssl_nt.c for the pre-Win2K way of doing it, and imap-2001a/src/osdep/nt/ssl_w2k.c for the Win2K, WinMe, and WinXP way of doing it. The latter is actually documented by Microsoft, and is preferred unless you're running on Win98 or NT4. My Windows code is client-only, but it isn't too hard to do server code as long as you get a certificate installed. I never went to the effort of doing it. Strictly speaking, IESG only requires that you "implement" it, not that it actually work on every system that runs your software. You could, for example, implement it for Win2K/Me/XP and have a runtime test to not do it on older versions of Windows. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate.