On Wed, 27 Nov 2002 10:26:12 -0600, Don Moore wrote: > In my opinion, it's not a software author's job to tell users what level > of security they _must_ comply with. If the author wishes to suggest > security, cleartext logins could be disabled by default if the connection is > unsecure. However, this configuration should not be mandatory.
The software author's opinion in the matter is irrelevant. The RFC 2060 replacement, in the RFC editor queue (and hence approved by the IESG), requires this, as will all future RFCs for IMAP and other protocols. It did not get IESG approval without that requirement. This particular battle, for better or worse, has been decided. Server implementations which allow unencrypted plaintext logins are now non-compliant; and to make UW imapd be compliant I had to change it so that plaintext logins are not allowed in unencrypted sessions. The question is whether or not it is safe to exempt localhost connections. Since localhost does not go out over the wire and hence is internal to the local system, it arguably is not within the IETF domain to declare compliance. I am comfortable with that argument; I am not completely sure whether we can assume that localhost connections are a secure path.
