proposed new section 2.4.2.3 Required Security Mechanisms

["Paul B. Hill" <pbh@xxxxxxx>]

Hi,

I have a proposed new section, 2.4.2.3 Required Security Mechanisms. This 
section, in conjunction with revisions to the section "AUTHETICATE Command" 
should eliminate the errors that were noticed in earlier revisions of the 
draft.

2.4.2.3 Required Security Mechanisms

The following implementation conformance requirements are in place:

     (1)   For a read-only, public CS, anonymous authentication,
	       described in section <fwd ref 7.1.3.1>, can be used.


     (2)   Implementations providing password-based authenticated access
           MUST support authentication using Digest, as described in
           section <fwd ref>.  This provides client authentication with
           protection against passive eavesdropping attacks, but does
           not provide protection against active intermediary attacks.

     (3)   For a CS needing session protection and
           authentication, the Start TLS extended operation, and either
           the simple authentication choice or the SASL EXTERNAL
           mechanism, are to be used together.  Implementations SHOULD
           support authentication with a password as described in
           section <fwd ref>, and SHOULD support authentication with a
           certificate as described in section <fwd ref>.  Together, these
           can provide integrity and disclosure protection of
           transmitted data, and authentication of client and server,
           including protection against active intermediary attacks.