--On Friday, July 18, 2003 11:51 AM -0500 Gary Mills <[EMAIL PROTECTED]> wrote:
| Using both shared secrets and plain-text passwords introduces a | client/server interaction problem. Many IMAP clients will not fall | back to plain-text authentication when the server advertizes the | shared secret mechanisms, but the specific user does not have a | shared secret. The result is an impasse, since the user cannot | authenticate and also cannot set the shared secret. My current | workaround is to modify the c-client library so that it will fall | back to plain-text passwords.
I did not implement fallback because my feeling is that if a user sets a particular authentication mechanism then that is what they want. Certainly fallback from a relatively secure mechanism like CRAM or DIGEST to one with no security like plain is bad practice as man-in-the-middle attacks could be used to trick clients into sending clear-text passwords, and the user would be non the wiser.
-- Cyrus Daboo
