> IMO, it does no harm to recommend mechanisms in the RFC for dropping the > connection after N failed login attempts.
No, I'm with Arnt on this one, fully. It's beyond the scope of IMAP to define login security, and any protocol that has authentication (and there are many) has to deal with this. There should be a BCP document (which someone more qualified than I must write, so I'm not volunteering, sorry) that's independent of any specific protocol, which specifies how authentication should be handled, and which should cover the hacking issue as well as any other general authentication issues. And then IMAP and the other protocols should refer to that (and until such a document is there to be referred to, I like Arnt's wording of "follow best current practices"). Remember that any specific wording in IMAP (and POP and SMTP and HTTP and...) will become obsolete when the BCPs change. A separate BCP document can be updated as appropriate. Ned, comments? Barry -- Barry Leiba, Internet Messaging Technology ([EMAIL PROTECTED]) http://www.research.ibm.com/people/l/leiba
