ietf-nntp TLS and AUTHINFO interaction
Jeffrey M. Vinocur
jeff at litech.org
Mon Mar 17 20:03:32 PST 2003
On Mon, 17 Mar 2003, Russ Allbery wrote:
> Jeffrey M Vinocur <jeff at litech.org> writes:
>
> > I was planning on lumping the already-authenticated state in with the
> > already-established-TLS state; in both cases STARTTLS would not appear
> > in list extensions, the client would be expected to know not to try it,
> > and any attempt to try it would be met with 500. The two cases seem
> > very similar to me.
>
> Hm... is it kosher to have LIST EXTENSIONS change after authentication?
You got me. Seems to be what all the other protocols do, though.
Also, doesn't it *have* to change so that we can list e.g. SASL PLAIN
which would not be acceptable on an insecure link?
> But if we could avoid making the client reissue LIST EXTENSIONS after
> authentication, I think I'd prefer it.
I can't say I like any required use of LIST EXTENSIONS at all.
(Particularly not for the convoluted way the forthcoming AUTHINFO USER
text has it, but that's a different issue.) But it seems that the de
rigueur thing is to compare the list of extensions before and after to
prevent forced cipher downgrades, and if they have to do it anyway, I
certainly feel like we may as well not list the things we don't want the
client to try.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the ietf-nntp
mailing list