ietf-nntp NNTP AUTH draft update

Andrew Gierth andrew at erlenstar.demon.co.uk
Thu Nov 11 09:16:55 PST 1999 

>>>>> "Clive" == Clive D W Feather <clive at demon.net> writes:

 >> Compliant clients MUST issue "LIST EXTENSIONS" prior to using "AUTHINFO".
 >> If the "LIST EXTENSIONS" command fails, clients MAY attempt to use
 >> "AUTHINFO USER"/"AUTHINFO PASS" but should be aware that the server is
 >> likely to use x8x response codes in that case.
 >> 
 >> Servers MUST use the x5x response codes to "AUTHINFO" if the client issued
 >> a "LIST EXTENSIONS" command.  However, they MAY treat "AUTHINFO
 >> USER"/"AUTHINFO PASS" received prior to a "LIST EXTENSIONS" command as the
 >> pre-standard version of those commands and return commonly used private-use
 >> x8x response codes (which will be listed in an appendix).

 Clive> No, no, no ! That is the most horrible broken bogus design
 Clive> I've seen in ages.

 Clive> LIST EXTENSIONS is supposed to tell you what the server is
 Clive> capable of. As such, it shouldn't affect the internal state of
 Clive> the server at all. There's certainly nothing in the present
 Clive> NNTP draft to even suggest that it might affect (as opposed to
 Clive> reflect) server state.

 Clive> If backwards compatibility of the old form is vital, then use
 Clive> a new name for the version with x5x codes:

That isn't enough, because the issue is what response the server gives
to commands _other than_ AUTHINFO when it requires that the user
authenticate.

There is an existing client base that _will not_ even _attempt_ to
authenticate until some command fails with a 480 error code. Such
clients will do exchanges like:

  [S] 200 FooNews server ready (posting ok)
  [C] group foonews.general
  [S] 480 authentication required
  [C] authinfo user foo
  [S] 381 password required
  [C] authinfo pass bar
  [S] 281 ok
  [C] group foonews.general
  [S] 211 273 12884 13157 foonews.general

And as I've pointed out, some of these clients even issue the LIST
EXTENSIONS command....

 Clive> Or else state that compatibility with old AUTHINFO USER
 Clive> implementations isn't important.

If the choice is between implementing the new draft and keeping
compatibility with the existing client base, then the new draft
will not be implemented.

-- 
Andrew.

More information about the ietf-nntp mailing list