ietf-nntp Multiple AUTHINFOs per session

[Jeffrey M. Vinocur]

On Mon, 6 Jan 2003, Russ Allbery wrote:

> Jeffrey M Vinocur <jeff at litech.org> writes:
> 
> > How about a compromise?  This draft specifies an AUTHINFO capability to
> > be returned by LIST EXTENSIONS.  How about I point out that a server
> > which does not want clients to do multiple authentications steps can
> > avoid listing that capability after authentication has been performed?
> 
> I'm somewhat leery of solving problems like this by adding a new extension
> tag.  

Well, we're adding one regardless, to indicate what sorts of AUTHINFO the 
server supports.  So the effect I describe above is a natural consequence, 
we'd just be pointing it out.


> That may well be the right way of solving it, but each extension tag
> adds another variable in an implementation and therefore another thing
> that a client author has to think about.  That means it adds to the
> overall complexity of the specification.

Mm, yeah.  (Of crouse, it's not like we need to actually forbid the client
from issuing the command -- if it does, it'll just get 502 and have deal
with it.)


> If we need that complexity, that's great, but if we don't need that
> complexity, I think it's better to just pick something.  There's a
> standard maxim when writing RFCs that goes something like "when there's
> two ways of doing something, pick one."

Point.  I'm willing to disallow it if nobody objects.

If we do disallow it, the capability should not be advertised by LIST 
EXTENSIONS, right?


> Maybe we should check with news.software.nntp to see if there's anyone
> who's going to be unhappy if multiple AUTHINFO commands aren't supported?

Ok, I can do this, I guess.


-- 
Jeffrey M. Vinocur
jeff at litech.org