Barry Leiba writes:
No, it applies to success for IMAP but corresponding failure for JMAP.
The point is not to reveal more than necessary about the JMAP
authentication process, to avoid giving information that would help
break into JMAP.
Right.
Our general rule is to avoid giving information to unauthenticated clients,
because they may want to use the information for breaking into something.
We don't know who the user behind an unauthenticated client is, and
therefore have to assume the worst.
However, in this case we're giving information to an authenticated client,
acting on behalf of a bona-fide user of the service. We know that because
the IMAP authentication succeeded. Since we know that it's a bona-fide
user, we don't have to assume anything.
Arnt
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
