> [EMAIL PROTECTED]
> > (6) For sections--
> >
> > > 6.2.1. AUTHENTICATE Command
> >
> > and
> >
> > > 6.2.2. LOGIN Command
> >
> > some discussion of methods to limit the number of auth/login attempts
> > allowed and/or other mechanisms to discourage name/password
> > hacking (e.g. exponentially delay the server reply for failed attempts)
> > might be appropriate.
> It seens sensible to have an RFC discussing that, but should that RFC be
> titled "IMAP"?
Probably not, and an acceptable answer to this point may be to toss this over
to the upcomding revision of the SASL specification. (Note that I said "might
be".)
> If there is such an RFC at present (somewhere in the SASL RFCs, for
> example?), the IMAP RFC should refer to it and not say anything more.
> IMNSHO.
I don't believe this is covered anywhere else right now.
> If there isn't any, wouldn't it be best for the IMAP RFC to simply
> recommend following the best current practices for discouraging
> name/password hacking?
Referencing something that doesn't exist yet can get tricky. If this gets
handed off to the SASL folks it may be best to avoid any such reference in this
revision of the IMAP base document.
Ned
