[EMAIL PROTECTED] > (6) For sections-- > > > 6.2.1. AUTHENTICATE Command > > and > > > 6.2.2. LOGIN Command > > some discussion of methods to limit the number of auth/login attempts > allowed and/or other mechanisms to discourage name/password > hacking (e.g. exponentially delay the server reply for failed attempts) > might be appropriate.
It seens sensible to have an RFC discussing that, but should that RFC be titled "IMAP"? If there is such an RFC at present (somewhere in the SASL RFCs, for example?), the IMAP RFC should refer to it and not say anything more. IMNSHO. If there isn't any, wouldn't it be best for the IMAP RFC to simply recommend following the best current practices for discouraging name/password hacking? --Arnt
