[Council] ping

Joe Hildebrand JHildebrand at jabber.com
Fri Jun 13 13:57:01 CDT 2003


> > In security considerations: 
> > "Client implementations SHOULD NOT implement the plaintext 
> mechanism, 
> > MUST NOT make it the default mechanism, and MUST warn the user that 
> > the plaintext mechanism is insecure."
> > Unless the channel is encrypted (using SSL or TLS) and the 
> server is 
> > authenticated with a certificate that is signed by a trusted CA.
> 
> Um, did you mean that clients SHOULD NOT implement it, or 
> that it SHOULD NOT be used? Those are different things. :) I 
> agree it should not be used unless the channel is encrypted 
> blah blah blah, but I can't even use it if the client does 
> not implement it.

I meant that it is ok to use plaintext on either side if the channel is
encrypted, and 
the cert is verified (to prevent MIM attacks).

-- 
Joe Hildebrand



More information about the Council mailing list