ietf-nntp Draft 20 pre-release 2

Clive D.W. Feather clive at demon.net
Fri Oct 10 08:15:31 PDT 2003


Jeffrey M. Vinocur said:
> I do support Clive's point that this *is* a protocol document and thus
> it's not really well-formed (or even in our scope?) for us to prohibit
> caching per se.  

Indeed. It's also an untestable requirement.

Basically, if a client screws up security, is it because they cached when
we told them not to, or for some other reason? Both point to problems with
the author.

> An alternative phrasing along the lines of "clients MUST send LIST
> EXTENSIONS before using ..." would probably be more appropriate.  Or maybe 
> we should emphasize that each extension document needs to state whether or 
> not LIST EXTENSIONS is required before use of that extension, and remind 
> extension document authors that security extensions should invoke that 
> requirement.

Firstly, we talked that one out before. This implies that LIST EXTENSIONS
can turn extensions on, and that is a strict no.

Secondly, LIST EXTENSIONS is actually a symptom, not a cause. The problem
we're trying to solve is clients that send passwords over an insecure link.
If a client uses SASL PLAIN (or whatever) without establishing TLS first,
it's broken. It doesn't matter *why* it did that. People seem to be
assuming that clients will use LIST EXTENSIONS to know what security
mechanism is there. What if they don't? What if they use SASL QUERY, or
some other arrangement? They're just as broken.

The right place to warn about this is in the document that defines SASL
(or whatever). We agreed this was important enough to put a note in the
base document, and I'm fine with that. The present wording is clear that
you SHOULD NOT do this, and I'm happy to make that MUST if Russ is.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | *** NOTE CHANGE ***
Demon Internet      | WWW: http://www.davros.org | Fax:    +44 870 051 9937
Thus plc            |                            | Mobile: +44 7973 377646



More information about the ietf-nntp mailing list