ietf-nntp My notes from the NNTP WG meeting at the 37thIETF
Nat Ballou
NatBa at MICROSOFT.com
Fri Dec 20 08:55:56 PST 1996
> From: Jack De Winter <jack at wildbear.on.ca>
> To: Brian Hernacki <bhern at netscape.com>; Nat Ballou <NatBa at MICROSOFT.com>
> Cc: Brian Kantor <brian at nothing.ucsd.edu>; Chris.Newman at INNOSOFT.COM;
moore at cs.utk.edu; ietf-nntp at academ.com
> Subject: Re: ietf-nntp My notes from the NNTP WG meeting at the 37thIETF
> Date: Thursday, December 19, 1996 11:09 AM
>
> >As far as protocol goes, Netscape News Server will accept an AUTHINFO
> >USER, return a "381 PASS required", but still allow you to enter other
> >commands without having entered AUTHINFO PASS. It does not however, use
> >the USER information (even for readership stats) unless a password has
> >been provided to prove identity.
>
> So, I guess then, if we can find one other server like that, we could
> argue that it should go into the 977bis draft to allow other commands
> but not to act on the 'verified' user until the use is indeed verified
> with the AUTHINFO PASS command?
Actually - no. It seems the Netscape server accepts AUTHINFO USER without
an AUTHINFO PASS, but does nothing with the AUTHINFO USER. I believe most
servers have a set of newsgroups that can be viewed without any
authentication
- so it's reasonable for the Netscape server to do what it does. INN does
the same thing. In any case, without a password, the AUTHINFO USER command
is useless, and servers will not accept it. If they did, I could spoof
others.
Nat
More information about the ietf-nntp
mailing list