Roger Harrison writes:Based on the comments to the WG over the past several days, I believe that authmeth should only reference DIGEST-MD5 in historical terms.
You should probably keep much of the DIGEST-MD5 text on authmeth-15 page 16 and generalize it to talk about SASL.
Good point.
I would like to replace this reference with DIGEST-MD5 with another mechanism (it does not need to be normative) that would not disclose the password to the server. Suggestions?
CRAM-MD5 seems to be the only alternative mechanism which is widely enough deployed to suggest now. That mechanism apparently has its own problems, though. So I suggest to keep the DIGEST-MD5 reference.
Indeed. Definitely not CRAM-MD5.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/