| (I) A POP3 "command" (better described as a transaction type, or a
protocol-within-a-protocol) by which a POP3 client optionally uses
a keyed hash (based on MD5) to authenticate itself to a POP3
server and, depending on the server implementation, to protect
against replay attacks. (See: CRAM, POP3 AUTH, IMAP4
AUTHENTICATE.)
(C) The server includes a unique timestamp in its greeting to the
client. The subsequent APOP command sent by the client to the
server contains the client's name and the hash result of applying
MD5 to a string formed from both the timestamp and a shared secret
that is known only to the client and the server. APOP was designed
to provide as an alternative to using POP3's USER and PASS (i.e.,
password) command pair, in which the client sends a cleartext
password to the server.
|
