> > However, in this case the client has already authenticated via IMAP. > > By doing so the client already gained access to all of the same mail. > > The authors believe that the debugging value of the response code far > > outweighs its security concerns. > > > > The reviewer agrees. That said, it would not be a bad thing to > > add something like this: > > > > ADD > > Server implementations must take care to consider this and not > > to reveal more > > detail about authentication failures than necessary for this purpose. > > Uhn, this only applies to authentication successes. No, it applies to success for IMAP but corresponding failure for JMAP. The point is not to reveal more than necessary about the JMAP authentication process, to avoid giving information that would help break into JMAP. b -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
