On Thu May 25 11:21:36 2006, Norman Rasmussen wrote:
Agreed, Psi shouldn't complain about Plain if it's TLS/SSL secured.
Yes it should.
Consider the case where the server is compromised. TLS privacy is
only good on the wire, so if you use PLAIN (or any plaintext password
mechanism), you've handed the attacker your password. So unless the
server cannot be compromised, a client has every right to complain.
If you use DIGEST-MD5, then the attacker only has a plaintext
equivalent good enough to authenticate with the compromised server,
and cannot obtain anything better from the authentication process on
the wire - if the server is compromised, therefore, you've lost
privacy, but not your password.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
