Arnt Gulbrandsen wrote: > [EMAIL PROTECTED] > > (6) For sections-- > > > > > 6.2.1. AUTHENTICATE Command > > > > and > > > > > 6.2.2. LOGIN Command > > > > some discussion of methods to limit the number of auth/login attempts > > allowed and/or other mechanisms to discourage name/password > > hacking (e.g. exponentially delay the server reply for failed attempts) > > might be appropriate. > > It seens sensible to have an RFC discussing that, but should that RFC be > titled "IMAP"? > > If there is such an RFC at present (somewhere in the SASL RFCs, for > example?), the IMAP RFC should refer to it and not say anything more. > IMNSHO.
Mandatory to implement SASL mechanism is a moving target because it will most likely to change over time. Currently the most deployed mechanism for IMAP is probably CRAM-MD5, but LDAP/ACAP/BEEP recommend DIGEST-MD5. I tend to agree that a separate document should be used, however there is none at this time. And I don't think that the information about mandatory to implement belongs to SASL spec for the same reasons it doesn't belong to IMAP spec. Regards, Alexey Melnikov __________________________________________ R & D, ACI Worldwide/MessagingDirect Richmond, Surrey, UK Phone: +44 20 8332 4508 Home Page: http://orthanc.ab.ca/mel I speak for myself only, not for my employer. __________________________________________
