ietf-nntp Response code issues

Jeffrey M. Vinocur jeff at litech.org
Tue Mar 25 14:56:46 PST 2003 

On Tue, 25 Mar 2003, Clive D.W. Feather wrote:

> I'm afraid I can't make sense of this bit of your draft.

Uh oh, that's not good.


> If a 483 can only be returned once TLS is active, then that's not a problem
> - the STARTTLS extension has been invoked and 483 becomes a legitimate
> response.
>
> If a 483 can be returned by STARTTLS, or during TLS negotiation then,
> again, no problem.

483 is not a valid response to STARTTLS.  It's unlikely to be returned
after a TLS layer (or SASL layer with encryption) is established, although 
I suppose that it could be used to indicate that the cipher is too weak 
for some purpose.


> If a 483 can be returned by AUTHINFO or after an AUTHINFO command,
> then that depends on the specification of AUTHINFO.
> 
> The only problem is if 483 can be returned to a client that has not invoked
> anything outside the main NNTP specification. Is that so?

The intent as written (can you be more specific about what's unclear so I 
can revise it?) is that 483 could be returned in response to any command 
should the server wish to indicate that encryption is required for that 
command.

Now, in practice, this is most likely to be AUTHINFO.  But ?Russ described 
a scenario in which authentication is not necessary, but encryption is 
desired for a particular group.  So while we *could* restrict 483 to being 
returned by AUTHINFO, I think that might be unnecessarily restrictive.


> > Suppose a server provides read-only access to the world, and 
> > administrators can authenticate to get post access, but only if they're on 
> > the local subnet.  Does the text above indicate that the server has to 
> > distinguish between local and non-local IP addresses?  (It might be 
> > easier for an implementation to simply return 480 to all POST commands at 
> > this stage, and then decide whether or not to accept authentication from a 
> > given IP when that authentication is actually given.)
> 
> Either the server should distinguish, or it should return 480 to everyone.

I agree here.


> 480 should mean "you could try authenticating" while 502 should mean "this
> connection will never have access".

Indeed -- I'm just not sure a strict reading of the text you had conveyed 
that accurately.  I'm sure you'll clarify it adequately.


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list