From: Patrick <firstname.lastname@example.org>
Date: Mon, 5 Aug 2002 16:54:45 +0200
Subject: Re: Login Failure and Sessions
On Mon, Aug 05, 2002 at 09:52:59AM -0400, Hollenbeck, Scott took time to write: > I'm working on putting a state diagram in the EPP draft per a last-call > comment from our AD. While working through this I came across something > that we haven't captured in the documents: what should a server do in case > of a login failure due to bogus credentials? > > My preference would be for consistent behavior across all transports. I see > a few options for dealing with login failures: I think that this is a policy issue. The protocol should only state that the server MAY close the connection after login failure, so that the client knows he must deal with this case. Of course following commands (in such case as the one you describe with an email containing login-commands-lougout) are not processed, and discarded by the server. Other than that, it should be up to each Registry to see if they prefer to close the connection, limit the number of attempts or do not limit anything. Patrick.