ietf-nntp Draft 20 pre-release 2

[Rob Siemborski]

On Fri, 10 Oct 2003, Clive D.W. Feather wrote:

> > This is highly unacceptable behavior that I strongly suspect will not make
> > it past the IESG.  The only solution to this is to keep the text of 5.3
> > and not encourage implementations to cache results at any point in the
> > document (remove 11.6, or replace with a strong anti-caching stance).
>
> I don't understand your vehemence here. We agreed a month or so back that
> security issues were different and caching had to be thought through
> carefully in that respect.

As Russ noted, I wasn't a part of those discussions.

My vehimence is because I suspect that the current text is open to wild
misinterpretation.  I suspect even if you fix it for "some caching is
okay and some cachinmg is never ok" it will still be likely to be confused
in dangerous ways.

>     [C] LIST EXTENSIONS MOREINFO
>     [S] 202 Extensions list with more information
>     [S] + AUTHINFO USER
>     [S] ! SASL CRAM-MD5 NTLM DIGEST-MD5 PLAIN
>     [S] - SASL CRAM-MD5 NTLM DIGEST-MD5
>     [S] + STREAMING
>     [S] - STARTTLS
>     [S] .
>
> where:
>
>     + = this extension is always available
>     ! = this extension is available now, but not in some other states
>     - = this extension is available in some other states, but not now
>
> and to which we could perhaps add:
>
>     ? = this extension is available now, but not in some other states;
>         for security reasons clients MUST NOT cache this information

Is this optimization really worth this much additional complexity?

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski | Andrew Systems Group * Research Systems Programmer
PGP:0x5CE32FCC | Cyert Hall 207 * rjs3 at andrew.cmu.edu * 412.268.7456
-----BEGIN GEEK CODE BLOCK----
Version: 3.12
GCS/IT/CM/PA d- s+: a-- C++++$ ULS++++$ P+++$ L+++(++++) E W+ N o? K-
w O- M-- V-- PS+ PE++ Y+ PGP+ t+@ 5+++ R@ tv-@ b+ DI+++ G e h r- y?
------END GEEK CODE BLOCK-----