Charles Marcus dovecot@dovecot.org wrote on 23 Jul 2007 13:21:
Phillip T. George, on 7/23/2007 1:00 PM, said the following:
SSL/TLS is not going to solve the keylogger and malware problem.
Basically, if you're on a public (or even a friend's) computer and someone decides to monitor keystrokes using some application, your password will be completely compromised.Well, thats true, but this really isn't a dovecot issue...
Yes, that's true. I believe I must make some additional notes to explain the reason for my mail:
I believe one One-time Passwords can be useful, especially in untrusted webmail environments.
Until now I did not find an easy solution to setup OTP with common used IMAP servers and webmail packages. If somebody is able to show me a solution I would be happy and we can abort this thread.
I did not use dovecot before, but when I evaluated some IMAP servers I came to the conclusion, that dovecot has a clean structure and can be extended easily. I was able to patch dovecot in order to show that the proposed solutions are possible.
So dovecot has no errors in this context, but I believe it could be extended easily and that's why I wrote in this mailing list. My hope is, that people comment:
- My ideas are stupid or not.
- My proposol is a useful IMAP extension, or we should solve the problem in other ways.
- We should extend dovecot a litle bit or leave it, because other mail servers does not implement such a feature.
I do not complain about dovecot, I'm proposing some enhancements, but may be in the wrong direction. I hope I do not disturb the mailing list readers.
Regards, Frank
Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.