RFC 2595 (rfc2595) - Page 1 of 15


Using TLS with IMAP, POP3 and ACAP



Alternative Format: Original Text Document



Network Working Group                                          C. Newman
Request for Comments: 2595                                      Innosoft
Category: Standards Track                                      June 1999


                   Using TLS with IMAP, POP3 and ACAP


Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

1. Motivation

   The TLS protocol (formerly known as SSL) provides a way to secure an
   application protocol from tampering and eavesdropping.  The option of
   using such security is desirable for IMAP, POP and ACAP due to common
   connection eavesdropping and hijacking attacks [AUTH].  Although
   advanced SASL authentication mechanisms can provide a lightweight
   version of this service, TLS is complimentary to simple
   authentication-only SASL mechanisms or deployed clear-text password
   login commands.

   Many sites have a high investment in authentication infrastructure
   (e.g., a large database of a one-way-function applied to user
   passwords), so a privacy layer which is not tightly bound to user
   authentication can protect against network eavesdropping attacks
   without requiring a new authentication infrastructure and/or forcing
   all users to change their password.  Recognizing that such sites will
   desire simple password authentication in combination with TLS
   encryption, this specification defines the PLAIN SASL mechanism for
   use with protocols which lack a simple password authentication
   command such as ACAP and SMTP.  (Note there is a separate RFC for the
   STARTTLS command in SMTP [SMTPTLS].)

   There is a strong desire in the IETF to eliminate the transmission of
   clear-text passwords over unencrypted channels.  While SASL can be
   used for this purpose, TLS provides an additional tool with different
   deployability characteristics.  A server supporting both TLS with




Newman                      Standards Track