Closed djeastonca closed 9 months ago
Agree this could be removed, people that want to do ip based authentication will do it regardless, and nothing is gained by having it as part of the spec.
Do not mention authentication by IP address explicitly. An implementation and/or data center may choose to allow any kind of enhanced authentication beyond the standard anyway.
~Users MAY be authenticated using their IP address or AUTH command.~ → Users MAY be authenticated using the AUTH command.
+1 on change
The specification appears to implicitly endorse the notion of authentication by IP address: "Users MAY be authenticated using their IP address…". Given how relatively easily source IP addresses can be spoofed, I suggest that this be removed. There are many additional ways that can be added to perform authentication (e.g. OAuth)