On Wed, 29 May 2002 10:12:30 -0700 (PDT), [EMAIL PROTECTED] wrote: > Probably not, and an acceptable answer to this point may be to toss this > over to the upcomding revision of the SASL specification. (Note that I said > "might be".)
My answer is to toss this over to another document, to be determined by the IESG. Is SASL scoped to cover legacy LOGIN commands? What's more, this is a BCP, not a protocol issue. You will find vehement disagreement on any mandatory requirements in this area, as different organizations have different and conflicting security requirements. > Referencing something that doesn't exist yet can get tricky. If this gets > handed off to the SASL folks it may be best to avoid any such reference in > this revision of the IMAP base document. I intend to have no reference in the IMAP document. Personally, I think that any attempt to go beyond a BCP (or other means of offering suggestions) should be vigorously opposed. Security is much too complicated to boil down to "you must do this and must not do that." Any number of permitted authentication retries will be too many and too few. Any amount of dawdle after an authentication failure is too much time, and too little time, and even an exploitable security bug. Any other actions are vital for system security and a means of attack. In any case, such discussions belong in a document describing security techniques and tradeoffs. It does not belong in the IMAP document or any other document describing an orthogonal protocol.
