Eric Rescorla wrote: >S 5. >There needs to be a requirement that this happen over TLS, no? > > Or a SASL security layer that provides data confidentiality (e.g. if GSSAPI was used). But it practice this is most likely be TLS, yes.