ietf-nntp Draft 20 pre-release 2
Clive D.W. Feather
clive at demon.net
Fri Oct 10 02:29:08 PDT 2003
Russ Allbery said:
> I can certainly support clarifying that security extension information may
> not be cached.
We say "MUST NOT rely on cache contents", because doing so could break
interoperability.
The penultimate paragraph of 11.6 currently reads:
Therefore a client sending private information, such as a cleartext
password, to a server is advised always to check the security state
of the link and the identity of the server immediately beforehand.
How this is done will, of course, depend on the particular
facilities available on the server.
I can now see that that "is advised to" is far too weak and I have changed
it to:
Therefore a client sending private information, such as a cleartext
password, to a server SHOULD check the security state of the link
and the identity of the server immediately beforehand and SHOULD NOT
rely on the (cached) results of any previous check. How such a check
is done will, of course, depend on the particular facilities
available from the server.
It's not clear to me that we can say MUST and MUST NOT rather than SHOULD,
because it isn't an interoperability issue. However, if you tell me that
MUST is compatible with RFC 2119, I'll happily make the change.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | *** NOTE CHANGE ***
Demon Internet | WWW: http://www.davros.org | Fax: +44 870 051 9937
Thus plc | | Mobile: +44 7973 377646
More information about the ietf-nntp
mailing list