At 10:43 PM 6/9/2005, Frank Ellermann wrote: >And if they don't like CRAM-MD5 what they'll get is LOGIN or >PLAIN _without_ TLS, sigh. I disagree with this statement. Today, many email client and server supports TLS, and does so independently of what SASL mechanisms they may or may not support. I think most users and administrators will enable that TLS support if a plain text password mechanism is chosen. And, if that's the RECOMMENDED default, I doubt many users and administrators will disable TLS without some considerations of th security implications of their choice. I think the best option for this protocol, given issues raised by Simon regarding DIGEST-MD5, is TLS+PLAIN. Kurt _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf