RFC 2595 (rfc2595) - Page 2 of 15

Using TLS with IMAP, POP3 and ACAP

Alternative Format: Original Text Document
< Previous
Next >
RFC 2595           Using TLS with IMAP, POP3 and ACAP          June 1999


   simple passwords and a challenge/response SASL mechanism is likely to
   interoperate with a wide variety of clients without resorting to
   unencrypted clear-text passwords.

   The STARTTLS command rectifies a number of the problems with using a
   separate port for a "secure" protocol variant.  Some of these are
   mentioned in section 7.

1.1. Conventions Used in this Document

   The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
   "MAY", and "OPTIONAL" in this document are to be interpreted as
   described in "Key words for use in RFCs to Indicate Requirement
   Levels" [KEYWORDS].

   Terms related to authentication are defined in "On Internet
   Authentication" [AUTH].

   Formal syntax is defined using ABNF [ABNF].

   In examples, "C:" and "S:" indicate lines sent by the client and
   server respectively.

2. Basic Interoperability and Security Requirements

   The following requirements apply to all implementations of the
   STARTTLS extension for IMAP, POP3 and ACAP.

2.1. Cipher Suite Requirements

   Implementation of the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [TLS] cipher
   suite is REQUIRED.  This is important as it assures that any two
   compliant implementations can be configured to interoperate.

   All other cipher suites are OPTIONAL.

2.2. Privacy Operational Mode Security Requirements

   Both clients and servers SHOULD have a privacy operational mode which
   refuses authentication unless successful activation of an encryption
   layer (such as that provided by TLS) occurs prior to or at the time
   of authentication and which will terminate the connection if that
   encryption layer is deactivated.  Implementations are encouraged to
   have flexability with respect to the minimal encryption strength or
   cipher suites permitted.  A minimalist approach to this
   recommendation would be an operational mode where the
   TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA cipher suite is mandatory prior to
   permitting authentication.



Newman                      Standards Track
< Previous
Next >