Spencer,
agreed.
I'll update the draft based on your comments, and update the repository,
thanks,
Neil
On 10 Mar 2009, at 12:12, Spencer Dawkins wrote:
Hi, Neil,
Thanks for the quick response (so I can still remember writing the
review :-)...
Deleting stuff we agree on - I think my suggestion here
3.8. Media Server Use of IMAP Server
If the media server is configured as an authorized user of the IMAP
server, it SHOULD authenticate to the IMAP server using the
credentials for that user. This document does not go into the
details of IMAP authentication, but the authentication SHOULD NOT
use
the LOGIN command over a non-encrypted communication path.
Spencer (minor, because I'm not your security reviewer): I'm
struggling why this last statement is SHOULD NOT with no
qualifications... if you tell me that this is normal practice in
the e-mail community, I'll be quiet, but this would worry me if I
saw it happening.
You're right, I actually took this verbatim from an earlier version
of the IMAP URL RFC, but I notice the latest version has removed
this text. There is no particular need for it in this doc either,
as the base IMAP RFCs cover the perils of using non-encrypted
communication channels adequately enough, and as such it's not a
security concern of this doc. So I lean towards removing the
sentence completely, or simply lowercasing the SHOULD NOT.
is removing the sentence.
My biggest concern was whether the media server might be configured
with MY IMAP credentials, and might decide it was a good idea to
send MY IMAP credentials "in the clear". If that's possible, I'd
hope for MUST NOT, but you're probably saying that this spec is not
the right place to fight the battle of clear-text security
credentials, even for IMAP, and I can see that being the case.
Thanks,
Spencer
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf