RFC 2192 (rfc2192) - Page 3 of 16


IMAP URL Scheme



Alternative Format: Original Text Document



RFC 2192                    IMAP URL Scheme               September 1997


     Since URLs can easily come from untrusted sources, care must be
     taken when resolving a URL which requires or requests any sort of
     authentication.  If authentication credentials are supplied to the
     wrong server, it may compromise the security of the user's account.
     The program resolving the URL should make sure it meets at least
     one of the following criteria in this case:

     (1) The URL comes from a trusted source, such as a referral server
     which the client has validated and trusts according to site policy.
     Note that user entry of the URL may or may not count as a trusted
     source, depending on the experience level of the user and site
     policy.
     (2) Explicit local site policy permits the client to connect to the
     server in the URL.  For example, if the client knows the site
     domain name, site policy may dictate that any hostname ending in
     that domain is trusted.
     (3) The user confirms that connecting to that domain name with the
     specified credentials and/or mechanism is permitted.
     (4) A mechanism is used which validates the server before passing
     potentially compromising client credentials.
     (5) An authentication mechanism is used which will not reveal
     information to the server which could be used to compromise future
     connections.

     URLs which do not include a user name must be treated with extra
     care, since they are more likely to compromise the user's primary
     account.  A URL containing ";AUTH=*" must also be treated with
     extra care since it might fall back on a weaker security mechanism.
     Finally, clients are discouraged from using a plain text password
     as a fallback with ";AUTH=*" unless the connection has strong
     encryption (e.g. a key length of greater than 56 bits).

     A program interpreting IMAP URLs MAY cache open connections to an
     IMAP server for later re-use.  If a URL contains a user name, only
     connections authenticated as that user may be re-used.  If a URL
     does not contain a user name or authentication mechanism, then only
     an anonymous connection may be re-used.  If a URL contains an
     authentication mechanism without a user name, then any non-
     anonymous connection may be re-used.

     Note that if unsafe or reserved characters such as " " or ";" are
     present in the user name or authentication mechanism, they MUST be
     encoded as described in RFC 1738 [BASIC-URL].








Newman                   Standards Track