ietf-nntp LIST EXTENSION caching, latest wording

Clive D.W. Feather clive at demon.net
Mon Oct 13 01:22:24 PDT 2003 

Okay, here's what I've produced following the flurry of messages over the
weekend.

Personally, I still think it's better to have this stuff in there than
nothing at all, but I agree it's important to send the right messages
on security. So I hope we can all feel we're converging on good text.

In 5.3.2, one paragraph:

   While some extensions are likely to be always available or never
   available, others will "appear" and "disappear" depending on other
   changes. An NNTP client may cache the results of this command, but
   MUST NOT rely on any cached results - whether from earlier in this
   session or from a previous session - remaining correct, MUST cope
   gracefully with the cached status being out of date, and SHOULD (if
   caching results) provide a way to force the cached information to be
   refreshed. Furthermore, a client MUST NOT use cached results in
   relation to security, privacy, and authentication extensions. See
   Section 11.6 for further discussion of this topic.

11.6 Caching of LIST EXTENSIONS results

   The LIST EXTENSIONS command provides information about the extensions
   currently available from the server. Whenever there is a relevant
   change to the server state, the results of this command are required
   to change accordingly.

   In most situations the results from this command in a given server
   state will not change from session to session; a given extension will
   be installed permanently on a server. Some clients may therefore wish
   to remember which extensions a server supports to avoid the delay of
   an additional command and response, particularly if they open
   multiple connections in the same session.

   However, information about extensions related to security and privacy
   MUST NOT be cached, since this could allow a variety of attacks.

   For example, consider a server which permits the use of cleartext
   passwords on links that are encrypted but not otherwise:

      [Initial TCP connection setup completed.]
      [S] 200 NNTP Service Ready, posting permitted
      [C] LIST EXTENSIONS
      [S] 202 Extensions supported:
      [S] XENCRYPT
      [S] .
      [C] XENCRYPT
      [Client and server negotiate encryption on the link]
      [S] 283 Encrypted link established
      [C] LIST EXTENSIONS
      [S] 202 Extensions supported:
      [S] XSECRET
      [S] .
      [C] XSECRET   fred flintstone
      [S] 290 Password for fred accepted

   If the client caches the last LIST EXTENSIONS result, then on the
   next session it will attempt to use XSECRET on an unencrypted link:

      [Initial TCP connection setup completed.]
      [S] 200 NNTP Service Ready, posting permitted
      [C] XSECRET   fred flintstone
      [S] 483 Only permitted on secure links

   exposing the password to any eavesdropper. While the primary cause of
   this is passing a secret without first checking the security of the
   link, caching of LIST EXTENSIONS results can increase the risk.

   Any security extension should include requirements to check the
   security state of the link in a manner appropriate to that extension.

   Caching should normally only be considered for anonymous clients that
   do not use any security or privacy extensions and for which the time
   required for an additional command and response is a noticable issue.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | *** NOTE CHANGE ***
Demon Internet      | WWW: http://www.davros.org | Fax:    +44 870 051 9937
Thus plc            |                            | Mobile: +44 7973 377646

More information about the ietf-nntp mailing list