JHildebrand at jabber.com
Fri Jun 13 13:57:01 CDT 2003
> > In security considerations:
> > "Client implementations SHOULD NOT implement the plaintext
> > MUST NOT make it the default mechanism, and MUST warn the user that
> > the plaintext mechanism is insecure."
> > Unless the channel is encrypted (using SSL or TLS) and the
> server is
> > authenticated with a certificate that is signed by a trusted CA.
> Um, did you mean that clients SHOULD NOT implement it, or
> that it SHOULD NOT be used? Those are different things. :) I
> agree it should not be used unless the channel is encrypted
> blah blah blah, but I can't even use it if the client does
> not implement it.
I meant that it is ok to use plaintext on either side if the channel is
the cert is verified (to prevent MIM attacks).
More information about the Council