Lisa Dusseault wrote: > are we looking at the same version of this doc? No, the last called is -07, it doesn't REQUIRE [DIGEST-MD5] anymore: | Note that many existing client and server implementations implement | CRAM-MD5 [CRAM-MD5] SASL mechanism. In order to insure interoperability | with deployed software new implementations MAY implement it, however | implementations should be aware that this SASL mechanism doesn't | provide any server authentication. Implementations that want to provide | server authentication are encouraged to implement SASL mechanisms such | as DIGEST-MD5 [DIGEST-MD5]. The MAY is a bit obscure, of course they MAY do this, optionally. I'd prefer a clearer SHOULD to s/insure/ensure/ (?) interoperability. It has references to 2195 and 2831bis, and talks about SASLprep. How about using 2195bis, its "security considerations" might be more up to date ? The question of the 2195bis status (draft standard vs. informational) will be interesting, but it won't affect 2554bis, and maybe we'll find a compromise between those positions. Frank _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf