On Wed, 24 Jan 2007, The IESG wrote:
The IESG has received a request from an individual submitter to consider the following document: - 'SMTP Service Extension for Authentication ' <draft-siemborski-rfc2554bis-07.txt> as a Proposed Standard
draft-siemborski-rfc2554bis does not appear to contain any text similar to the last paragraph of section 4 in the rfc1734bis draft, requiring servers to support a configuration that does not permit passive password snooping.
I disagree with the choice of DIGEST-MD5 as the mandatory-to-implement mechanism. Given that many of the other protocols likely to be used by an SMTP client, such as POP3, IMAP4rev1, and LDAP, have chosen to specify "TLS followed by a cleartext password authentication" as their MtI authentication method, specifying DIGEST-MD5 here seems like a needless difference. I see no reason to believe DIGEST-MD5 will be more deployable in SMTP/submission servers than in IMAP, POP3, or LDAP servers.
Philip Guenther _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf