Mark Crispin wrote: > On Thu, 6 Jun 2002, David Harris wrote: > > This section, and a reading of IMAP-TLS, appears to be saying that an > > IMAP implementation can only be considered compliant if it implements > > SSL (sorry for the old terminology - I'm using it to be specific). > > Hi David - > > Your fears are correct. IESG is forcing us to do this. There are other > options, but the other options are worse. For example, CRAM-MD5 and its > modern-day successor DIGEST-MD5 are unimplementable on servers which use a > non-plaintext-equivalent password store. The UNIX password store is such > a store, and I think that the NT password store also gives you no access > to plaintext. Anyway, you must have access to the password in plaintext > or plaintext equivalent to implement the MD5 stuff. STARTTLS was the > lessor of two evils.
> Fortunately for Windows developers, Microsoft has solved the problem for > us. Modern versions of Windows have SSL and TLS support in SSPI. Just to be fair: on Windows 2000 and beyond there is a SSPI provider for DIGEST-MD5. Regards, Alexey Melnikov __________________________________________ R & D, ACI Worldwide/MessagingDirect Richmond, Surrey, UK Phone: +44 20 8332 4508 Home Page: http://orthanc.ab.ca/mel I speak for myself only, not for my employer. __________________________________________
