On Friday 01 September 2006 16:47, Jürgen Herz wrote: > And client response (here decoded) > authzid="juergen",charset=utf-8,cnonce="7c1c927e756c9067dbf412c964a823c1", > digest-uri="pop/pico",nc=00000001,nonce="S5hbmt7qeaQYOS/OLKOsYg==", > qop=auth,realm="",response=fed55b47609e097fdf7d145635e845ff,username="juerg >en"
After beeing in contact with Jürgen by private Mail we know now the 'authzid' is the problem because the pop3-serverside does not support it. From my point of view (and RFC-2831) authzid is optional. authzid is needed in case of the Authentication ID (username) differs from the Authorization ID (authzid). In case both are equal there is no need to send authzid. More worse - authzid should not be sent because that breaks authentication (For example in Jürgens case, Dovecot on serverside not supporting authzid). From my point of view Authen::SASL::Perl::DIGEST_MD5 should be changed to send authzid only in case of authzid ne username. What do you think? Achim
