On Thu, 23 Nov 2006, Mark Crispin wrote:
> For what it's worth, UW imapd has a 3 minute pre-authentication autologout
> timer. There are actually two pre-authentication autologout timers: the
> normal inactivity autologout timer, and an non-authenticated session age time
> which is enforced at command completion. The latter is cancelled by a
> successful authentication; a session could be over-age but still within the 3
> minute inactivity grace, but it must authenticate at that point. The upshot
> is that a non-authenticated session will die between 3 and 6 minutes from its
> startup.
This addresses a concern that immediately came to mind, that of someone
setting a 30 second timeout. Remember that the client can't prompt for a
password until it knows which authentication mechanism is to be used. So
we wind up with a scenario like:
C: 0 authenticate digest-md5
[client asynchronously prompts user for password]
S: + mumblefooetc ...
[user fumbles for scrap of paper with password, then slowly types it in,
backspacing and correcting along the way ...]
S: * BYE you type too slowly
[server closes connection]
[client terminates login attempt due to server error]
I admit this is a bit contrived, but people will do stupid things in the
name of "security." And too often people assume best case behaviour of
the network (and software, for that matter). Instead of a slow typer,
imagine a BGP route flap, or just plain old router conjestion induced
packet loss that forces the TCP session into exponential backoff. Voila,
you cannot log in.
So, if you do change the errata, please mandate a minimum 5 minute timer
in pre-authenticated state so that we can retain some robustness in the
protocol
--lyndon
NT as a file server is faster than a dead bat carrying Post-It notes
underwater. But not by much.