IMAP4 Access Control List (ACL) Extension
Note: This ballot was opened for revision 08 and is now closed.
(Scott Hollenbeck) Yes
(Brian Carpenter) No Objection
(Bill Fenner) No Objection
(Ted Hardie) No Objection
(Sam Hartman) (was Discuss) No Objection
Comment (2005-06-21 for -)
This document says that identifiers used as usernames for the login and authenticate commands are reserved to correspond to those users. However the authenticate command doesn't really take a username. I'm not sure what the right way of saying this in IMAP is, but in SASL it would be the authorization identity. But basically the text should be clarified to make it consistent with how authenticate actually works.
(Russ Housley) (was Discuss) No Objection
(David Kessens) No Objection
(Jon Peterson) (was No Record, No Objection) No Objection
Comment (2005-06-22 for -)
While this entire document concerns access and permissions, it seems to lack any text describing the protocol security requirements of a protocol that sets such permissions. Section 4 details what rights one must possess in order to modify ACLs, but I don't really see any text that describes the related threats concerning impersonation, replays, eavesdropping and so on in ACL creation. I have no doubt that mechanisms to address such threats exist in core IMAP (like SASL and STARTTLS), but it would be nice if this document explained why implementers should bother to use them.