ietf-nntp Currently outstanding issues

Ken Murchison ken at oceana.com
Sat Apr 26 05:38:06 PDT 2003 

"Jeffrey M. Vinocur" wrote:
> 
> On Fri, 25 Apr 2003, Russ Allbery wrote:
> 
> > Clive D W Feather <clive at demon.net> writes:
> >
> > >     http://www.davros.org/nntp-texts/draft18.txt
> > >     http://www.davros.org/nntp-texts/draft18.html
> 
> > Section 3.1:
> >
> > | OUTSTANDING ISSUE
> > |
> > | Should the initial response line be limited to 512 octets as well? [...]
> >
> > Yes.
> 
> Agreed.
> 
> (Hmm, you might want to point out here that an extension could "increase
> in the maximum length of commands over the value specified in this
> document" [section 8] -- or is that being silly?)

I assume that you're mentioning this for SASL?  I agree, that extensions
should be able to extend this limit.


> I just noticed something:
> 
> | An NNTP client MUST NOT cache (for use in another session) any
> | information returned if the LIST EXTENSIONS command succeeds. That
> | is, an NNTP client is only able to get the current and correct
> | information concerning available extensions at any point during a
> | session by issuing a LIST EXTENSIONS command at that point of that
> | session and processing the response.  [section 5.3.2]
> 
> In the SASL draft-to-be, I believe we indicate that a client might be wise
> to cache this information in order to display a cautionary message to the
> user should a high-security method be missing (perhaps indicating a

I don't follow what you're saying without seeing the actual AUTHINFO
SASL text, but a single session can do whatever it wishes with the info
that it discovers.


> cipher downgrade type attack).  The first sentence above seems to prohibit
> that usage, but then the second seems to be more acceptable.  Are we happy
> with the wording as is?

I think the wording is fine as-is.  Similar wording is used for the
other messaging protocols.  The key phrase is "(for use in another
session)".  If a client makes multiple connections to the same server,
it can't use the information that it discovered in the first session for
the second (the second must find out for itself).

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list