1. RFC2222bis

2. Summary Rfc2222bis-13 to be submitted tomorrow Addresses substantive issues Addresses editorial/nits Recommend WGLC upon announcement

3. Authentication Outcome (Section 3.6) Add: “The outcome message provided by the server can provide a way for the client to distinguish between errors which are best dealt with by re-prompting the user for her credentials, errors which are best dealt with by telling the user to try again later, and errors where the user must contact a system administrator for resolution (see The SYS and AUTH POP Response Codes [RFC3206] specification for an example). This distinction is particularly useful during scheduled server maintenance periods as it reduces support costs. It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user.”

4. Empty Server Challenge Requirement Retroactively declares current DIGEST- MD5 mechanism invalid. Forces server-first mechanisms with fast re-connect feature to either have extra empty round-trip or use two mechanisms. SASL implementor who coded according to requirement can not interoperate with SMTP LOGIN installed base.

5. With Requirement C: AUTH DIGEST-MD5 S: OK C: AUTH DIGEST-MD5 S: C: S: C: S: OK (incompatible change to DIGEST-MD5 spec)

6. Without Requirement C: AUTH DIGEST-MD5 S: OK C: AUTH DIGEST-MD5 S: C: S: OK (DIGEST-MD5 spec as documented)

7. Workaround C: AUTH DIGEST-MD5-RECON S: OK C: AUTH DIGEST-MD5 S: C: S: OK

8. SMTP LOGIN Netscape Variant: C: AUTH LOGIN S: C: S: OK Microsoft Variant: C: AUTH LOGIN S: “Username:” C: S: “Password:” C: S: OK (non-standard, undocumented)

9. mech downgrade detection Upon detection, SHOULD close connection.

10. Security Considerations Separately discussion Downgrade Attacks Hijack Attacks challenge/response modification -> denied access / retries (to additional ciphertext)

11. IANA Considerations Registration of family of mechanisms