ietf-nntp Server response length limits
Andrew Gierth
andrew at erlenstar.demon.co.uk
Wed Mar 13 00:51:37 PST 2002
>>>>> "Jeffrey" == Jeffrey M Vinocur <jeff at litech.org> writes:
Jeffrey> So...I've been working with Chris Newman on AUTHINFO SASL.
Jeffrey> The reason I asked the above was because we're running into
Jeffrey> issues with the line lengths, as SASL sometimes likes to put
Jeffrey> data in the initial command of the exchange.
Is it actually necessary for this info to be in the form of
single-line responses rather than multi-line ones (which _do_ allow
lines of unlimited length)?
otherwise your approach seems reasonable
Is there any likelyhood of a SASL scheme showing up that allows for
third-party authentication via an existing protocol? (RADIUS, for
example) This would require a scheme in which the server obtains the
actual plaintext password, which of course widens the scope of
attacks, but unless something like this becomes available then
plaintext-on-the-wire is going to remain the rule rather than the
exception.
--
Andrew.
More information about the ietf-nntp
mailing list