My thoughts are the same as yours, Phillip, and thanks for saying it so well. Barry On Tue, Aug 22, 2023 at 2:22 PM Phillip Tao <ptao@xxxxxxxxx> wrote: > > Given that Barry is the reviewer, and I'm just butting in to re-iterate/agree with what he said, I assume your response is mostly directed at him. > > But, to chip in my two cents, I think the way that Barry's proposed text is written, it's hard to "ignore" the MUST. It seems deliberately kind of vague, and serves more as a reminder to readers than to actually state a technically enforceable standard. Who's to say what's _really_ "more detail … than necessary"? The existing text explains why it's useful to create this small "security hole", but I think the proposed text is still helpful to remind potential implementors to keep it as limited in scope as possible. > > If you really want to avoid the MUST, maybe it could be worded along the lines of the following? > > Server implementations are advised to not reveal more detail about authentication failures than necessary for this purpose. > > > Again, as an interloper, I'm curious to hear Barry's thoughts. > > - Phillip > > > On Aug 22, 2023, at 2:46 AM, Arnt Gulbrandsen <arnt@xxxxxxxxxxxxxxxxxxx> wrote: > > Phillip Tao writes: > > The IMAP authentication succeeded using a less secure mechanism than would be accepted for JMAP; it would've been a failure had the MUA attempted to authenticate with the JMAP server with the same authentication mechanism. Therefore, from the perspective of the JMAP server, the client should be treated as unauthenticated. > > > That sounds like the kind of appeal to security that makes some people think "cargo-cult security", shrug and move on. > > I really, really don't want to have some people ignore a MUST or SHOULD in a document I write, so I want to justify each rule using something that the readers already believe to be true. Not just something that you or I believe to be true, it has to be common wisdom. > > What can I say that makes people believe that e.g. "hey client, you need to use oauth if you want to use jmap" requires a higher level of trust than "hey client, you now have complete access to the user's mail"? A good example would do. > > (I personally don't want this MUST/SHOULD precisely because I can't see a way to justify it using common wisdom. Show me the latter and I'll change my mind on the former.) > > Arnt > > _______________________________________________ > Extra mailing list > Extra@xxxxxxxx > https://www.ietf.org/mailman/listinfo/extra > > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call