ietf-nntp Currently outstanding issues

[Jeffrey M. Vinocur]

On Sat, 26 Apr 2003, Ken Murchison wrote:

> "Jeffrey M. Vinocur" wrote:
> 
> > (Hmm, you might want to point out here that an extension could "increase
> > in the maximum length of commands over the value specified in this
> > document" [section 8] -- or is that being silly?)
> 
> I assume that you're mentioning this for SASL?  I agree, that extensions
> should be able to extend this limit.

Sorry, I wasn't clear.  The text I quoted *is* in the section on the 
extensions mechanism as something extension description documents must 
include; I just wanted to know if it might help to refer to it in the 
section about the 512 character limit.


> > | An NNTP client MUST NOT cache (for use in another session) any
> > | information returned if the LIST EXTENSIONS command succeeds. That
> > | is, an NNTP client is only able to get the current and correct
> > | information concerning available extensions at any point during a
> > | session by issuing a LIST EXTENSIONS command at that point of that
> > | session and processing the response.  [section 5.3.2]
> > 
> > In the SASL draft-to-be, I believe we indicate that a client might be wise
> > to cache this information in order to display a cautionary message to the
> > user should a high-security method be missing (perhaps indicating a
> 
> I don't follow what you're saying without seeing the actual AUTHINFO
> SASL text, but a single session can do whatever it wishes with the info
> that it discovers.

Here's the text:

| [... man-in-the-middle attacks ...] An NNTP client can partially
| protect against these attacks by recording the fact that a particular
| NNTP server offers TLS during one session and generating an alarm if it
| does not appear in the LIST EXTENSIONS response for a later session.

So I'm trying to decide if the second sentence from 5.3.2 above is the 
(normative) definition of "use in another session", or just a (n 
informative) clarification.


-- 
Jeffrey M. Vinocur
jeff at litech.org