On Wed, 29 May 2002, Barry Leiba wrote: >> IMO, it does no harm to recommend mechanisms in the RFC for dropping the >> connection after N failed login attempts. >No, I'm with Arnt on this one, fully. It's beyond the scope of IMAP to >define login security, and any protocol that has authentication (and there >are many) has to deal with this. There should be a BCP document (which >someone more qualified than I must write, so I'm not volunteering, sorry) >that's independent of any specific protocol, which specifies how authentication >should be handled, and which should cover the hacking issue as well as any >other general authentication issues. And then IMAP and the other protocols >should refer to that (and until such a document is there to be referred to, >I like Arnt's wording of "follow best current practices").
I suddenly completely agree to this. Andy >Remember that any specific wording in IMAP (and POP and SMTP and HTTP and...) >will become obsolete when the BCPs change. A separate BCP document can be >updated as appropriate. > >Ned, comments? > >Barry >-- >Barry Leiba, Internet Messaging Technology ([EMAIL PROTECTED]) >http://www.research.ibm.com/people/l/leiba > > > -- Andreas Aardal Hanssen
