ietf-nntp Draft 20 pre-release 3
Rob Siemborski
rjs3 at andrew.cmu.edu
Fri Oct 10 06:41:16 PDT 2003
On Fri, 10 Oct 2003, Clive D.W. Feather wrote:
> Okay, I've taken all the wording changes I made in response to comments on
> draft pre-2 and put up the result as pre-3. There's also a unidiff for
> those who want to just see the highlights:
>
> <http://www.davros.org/nntp-texts/draft20.pre-3.txt>
> <http://www.davros.org/nntp-texts/draft20.pre-3.html>
> <http://www.davros.org/nntp-texts/draft20.pre-2-3.DIFFS.txt>
I hadn't caught up on the list traffic by my earlier email, but:
5.3:
depending on other changes. Furthermore, a server SHOULD NOT use cached
results in relation to security, privacy, and authentication extensions.
See Section 11.6 for further discussion of this topic.
"Furthermore, a CLIENT..."
And I still feel that this needs to be a MUST NOT.
11.6:
Therefore a client sending private information, such as a cleartext
password, to a server SHOULD check the security state of the link and the
identity of the server immediately beforehand and SHOULD NOT rely on the
(cached) results of any previous check. How such a check is done will, of
course, depend on the particular facilities available from the server.
again, "to a server MUST check", and "MUST NOT rely on"
While I can appreciate the desire to try to avoid this extra round trip,
to leave any wiggle room in the realm of security related extensions
defeats the entire point.
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski | Andrew Systems Group * Research Systems Programmer
PGP:0x5CE32FCC | Cyert Hall 207 * rjs3 at andrew.cmu.edu * 412.268.7456
-----BEGIN GEEK CODE BLOCK----
Version: 3.12
GCS/IT/CM/PA d- s+: a-- C++++$ ULS++++$ P+++$ L+++(++++) E W+ N o? K-
w O- M-- V-- PS+ PE++ Y+ PGP+ t+@ 5+++ R@ tv-@ b+ DI+++ G e h r- y?
------END GEEK CODE BLOCK-----
More information about the ietf-nntp
mailing list