On Sat, 04 Jan 2003 21:05:48 -0800 Jesse Peterson jpeterson275@attbi.com wrote:
Amelia A.Lewis wrote:
It turns out that digest-md5 support for clients is, well, not very widespread. I expect this box to be used by various windoze clients, eventually, and while I'm willing to lay down the law a little, I can't find enough digest-md5 support to lay down that law. So, regretfully, I abandoned that plan. This kinda bothers me, since I think TLS/STARTTLS is absolutely the *wrong* solution for mailbox access (or for anything that deals with a store-and-forward transport).
Not to be confrontational at all, but I'm very curious as to why you have such an aversion to SSL/TLS for IMAP access? I think actualy an entirely encrypted transport for something as (possibly sensitive) email is a good thing.
That's exactly why.
TLS doesn't secure email. It secures this particular transaction over IMAP. Worse, from my particular perspective, it's the preferred solution to secure authentication, which means that lighter-weight solutions that protect only the authentication secret are much less available.
TLS also tends to be associated with ecommerce, and the famous (or possibly notorious) lock icon. It has a widespread connotation of comfortable security which, of course, IMAP+TLS alone cannot by any means actually guarantee.
My particular installation is supposed to protect the authentication secret, only, because I don't want someone using the system to think "my email is secure" because it runs over a TLS session. It isn't.
Secure email means end-to-end, an agreement between the people who are exchanging it and a willingness to encrypt (and usually to store encrypted). I dislike the impression given by TLS that it's a magical solution to the problem of security (which one hears from programmers that ought to know better, btw ... create an insecure system, and answer questions about security with "anyone worried about it can use SSL!").
But we're off topic, I think, and I'm ranting, because I ended up needing to use the heavyweight solution as client support for the solutions I prefer doesn't seem to be out there. Which is prolly why I made the snide and unnecessary remarks in the first place.
Amy!
Amelia A. Lewis amyzing {at} talsever.com Light is the left hand of darkness and darkness the right hand of light. Two are one, life and death, lying together like lovers in kemmer, like hands joined together, like the end and the way. -- Tormer's Lay [Ursula K. Le Guin, "The Left Hand of Darkness"]