23 lines
892 B
Plaintext
23 lines
892 B
Plaintext
MBOX-Line: From slusarz at curecanti.org Tue Mar 18 13:13:05 2014
|
|
To: imap-protocol@u.washington.edu
|
|
From: Michael M Slusarz <slusarz@curecanti.org>
|
|
Date: Fri Jun 8 12:34:52 2018
|
|
Subject: [Imap-protocol] STARTTLS after PREAUTH
|
|
Message-ID: <20140318141305.Horde.iyy0UP8Ostx9TojRZiFyjw1@bigworm.curecanti.org>
|
|
|
|
STARTTLS is a non-authenticated command (3501 [6.2.1]).
|
|
|
|
Am I correct in my reading that this means that you lose any ability
|
|
to protect message data via TLS if PREAUTH is used? In other words:
|
|
was STARTTLS solely designed to protect authentication credentials
|
|
(security) and not message data (privacy)?
|
|
|
|
I guess the workaround for a situation where you *could*
|
|
preauthenticate based on connection factors/details, but still need
|
|
message privacy, is to require some sort of dummy authentication
|
|
(after initializing TLS layer). Feels pretty hackish though.
|
|
|
|
michael
|
|
|
|
|