ietf-nntp Response code issues

Clive D.W. Feather clive at demon.net
Tue Mar 25 08:47:03 PST 2003 

Jeffrey M. Vinocur said:
>> Okay, if this is so then - combined with the comments above about
>> extensions - it says to be that 480 *has* to be made a generic response.
> Then we need 483 too, don't we?  (For people not keeping up on the 
> STARTTLS draft, we're standardizing a response code meaning 
> "stronger encryption required" -- either 483 or 484.)

I'm afraid I can't make sense of this bit of your draft.

If a 483 can only be returned once TLS is active, then that's not a problem
- the STARTTLS extension has been invoked and 483 becomes a legitimate
response.

If a 483 can be returned by STARTTLS, or during TLS negotiation then,
again, no problem.

If a 483 can be returned by AUTHINFO or after an AUTHINFO command,
then that depends on the specification of AUTHINFO.

The only problem is if 483 can be returned to a client that has not invoked
anything outside the main NNTP specification. Is that so?

>>    If the client is not
>>    authorized to use the specified facility when the server is in its
>>    current state, and it is necessary to terminate the connection and
>>    start a new one with the appropriate authority before the command
>>    can be used, then the response code 502 MUST be returned.
> Thinking about implementation, I'm a little worried about that MUST.  
> Suppose a server provides read-only access to the world, and 
> administrators can authenticate to get post access, but only if they're on 
> the local subnet.  Does the text above indicate that the server has to 
> distinguish between local and non-local IP addresses?  (It might be 
> easier for an implementation to simply return 480 to all POST commands at 
> this stage, and then decide whether or not to accept authentication from a 
> given IP when that authentication is actually given.)

Either the server should distinguish, or it should return 480 to everyone.
480 should mean "you could try authenticating" while 502 should mean "this
connection will never have access".

> So perhaps the "it is necessary to terminate the connection" should be 
> preceded by something like "the server wishes to indicate that"?

Hmm.

Better, I think, is to say that "not authorized" MUST result in 480 or 502,
and SHOULD result in the appropriate one of those. I'll look into new
wording.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:  +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | *** NOTE CHANGE ***
Demon Internet      | WWW: http://www.davros.org | Fax:  +44 870 051 9937
Thus plc            |                            | Mobile: +44 7973 377646

More information about the ietf-nntp mailing list