Phillip Tao writes:
The IMAP authentication succeeded using a less secure mechanism than would be accepted for JMAP; it would've been a failure had the MUA attempted to authenticate with the JMAP server with the same authentication mechanism. Therefore, from the perspective of the JMAP server, the client should be treated as unauthenticated.
That sounds like the kind of appeal to security that makes some people think "cargo-cult security", shrug and move on.
I really, really don't want to have some people ignore a MUST or SHOULD in a document I write, so I want to justify each rule using something that the readers already believe to be true. Not just something that you or I believe to be true, it has to be common wisdom.
What can I say that makes people believe that e.g. "hey client, you need to use oauth if you want to use jmap" requires a higher level of trust than "hey client, you now have complete access to the user's mail"? A good example would do.
(I personally don't want this MUST/SHOULD precisely because I can't see a way to justify it using common wisdom. Show me the latter and I'll change my mind on the former.)
Arnt -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
