I was digging through the Twisted IMAP code tonight and I noticed something puzzling...<br><br>PLAINAuthenticator.challengeResponse() uses the following statement to send auth credentials to the server<br><br> return '%s\0%s\0' % (self.user, secret)<br>
<br>which would give auth credentials of the form:<br><br> authid<NUL>password<NUL><br><br> (where <NUL> is the NUL character)<br><br>However, both RFC2595 and RFC4616 (both define the PLAIN SASL mechanism), say that credentials should be passed this way:<br>
<br> [authzid]<NUL>authnid<NUL>password<br><br> (where <NUL> is the NUL character and [authzid] is optional)<br><br>Now even if one was to leave the authzid out of the equation, you would end up with something like this:<br>
<br> <NUL>authnid<NUL>password<br><br>and the version Twisted's IMAP code uses appears to be invalid.<br><br>Am I crazy? <br>Am I missing something? <br>Is it just way too late and I should put the RFCs down and back away slowly?<br>
<br>Kevin Horn<br>