[This thread is getting far afield from imapext's charter. Let's move it to the IMAP protocol list. PLEASE remove [EMAIL PROTECTED] from any replies.]
[[Cyrus: why won't Mulberry let me set a Reply-To header?!?]]
On Monday, August 25, 2003 12:14 AM +0100 Paul Smith <[EMAIL PROTECTED]> wrote:
Does LDAP permit an unauthenticated client to obtain a list of usernames with which it potentially could authenticate?
Sometimes, (in a slightly roundabout way) yes - by giving a list of email addresses which, probably 99% of the time, are directly related to user names.
Thus the requirement for friendly identifiers divorced from authentication identifiers.
Would an IMAP extension? No - it would only give it to AUTHENTICATED users, obviously.
I hope that doesn't include those authenticated as anonymous.
It's still a bad idea. If I can guess one password, I can authenticate and then retrieve the list of valid authentication identifiers for my next
round of attacks.
--lyndon
--
-----------------------------------------------------------------
For information about this mailing list, and its archives, see: http://www.washington.edu/imap/imap-list.html
-----------------------------------------------------------------
