On Tue, 24 Jun 2003, Lyndon Nerenberg wrote: > I don't think it really matters (since clients cannot make use of the > capability after authentication). In my servers I remove AUTH= from the > capability list after authentication, but my primary motivation for > this is to eliminate unnecessary protocol chatter.
Ditto in UW imapd. > > Apparently some clients may/do want to compare the capabilities before > > and after authentication to see if they have been changed by a > > man-in-the-middle. Those of us working on Cyrus think that this is > > pointless, but should we prevent them from doing so by removing the > > capabilities? > Since the capability list can change at any time (nothing precludes a > server from "growing" new capabilities on the fly -- taking them away > would be evil, though), any such client is broken, in my opinion. I agree with this as well. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
