[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SMTP AUTH design-team meeting addendum
Chris Newman wrote:
> On Fri, 4 Sep 1998, John Gardiner Myers wrote:
> > The SMTP AUTH spec should mention the principle that servers SHOULD NOT
> > advertise the existence of mechanisms whose use provide no benefit to
> > either client or server. For example, consider a server which
> > implements CRAM-MD5 authentication, and has the policy that clients
> > connecting from certain networks have authorization which is not
> > affected by authentication. Since CRAM-MD5 does not implement a
> > security layer, it does not itself provide a benefit to the client. If
> > the policy for a given client is such that CRAM-MD5 authentication does
> > not affect the client's authorization, then the server should not
> > advertise the CRAM-MD5 mechanism to that particular client.
>
> I agree. But this wording is a bit subtle. Here's another try:
>
> If an existing SMTP server is reconfigured or upgraded to advertise
> authentication mechanisms, this is likely to cause new SMTP client UIs to
> begin prompting users for their passwords. As such a behavior change may
> be undesirable at some sites, servers SHOULD NOT advertise client-only
> authentication mechanisms, such as CRAM-MD5, unless they grant the client
> additional delivery rights or services.
>From other side, IMHO, new clients MAY (or even SHOULD) remember passwords.
However clients SHOULD be configured not to do this.
Cheers,
Alexey Melnikov
------------------------------------------
SMTP/POP3/IMAP4/ACAP servers creation team
"ACAP Explorer" client
Epsylon Technologies, Russia
http://www.demo.ru
Imap Development Kit (my own product)
http://www.demo.ru/homerus/mail/idk/index.htm
------------------------------------------