[Council] ping

Joe Hildebrand JHildebrand at jabber.com
Fri Jun 13 13:57:01 CDT 2003

> > In security considerations: 
> > "Client implementations SHOULD NOT implement the plaintext 
> mechanism, 
> > MUST NOT make it the default mechanism, and MUST warn the user that 
> > the plaintext mechanism is insecure."
> > Unless the channel is encrypted (using SSL or TLS) and the 
> server is 
> > authenticated with a certificate that is signed by a trusted CA.
> Um, did you mean that clients SHOULD NOT implement it, or 
> that it SHOULD NOT be used? Those are different things. :) I 
> agree it should not be used unless the channel is encrypted 
> blah blah blah, but I can't even use it if the client does 
> not implement it.

I meant that it is ok to use plaintext on either side if the channel is
encrypted, and 
the cert is verified (to prevent MIM attacks).

Joe Hildebrand

More information about the Council mailing list