ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Russ Allbery
rra at stanford.edu
Tue Sep 9 21:54:20 PDT 2003
Ken Murchison <ken at oceana.com> writes:
> If the client caches the last LIST EXTENSIONS response, then the next
> time that it goes to authenticate (w/o checking LIST EXTENSIONS), it
> will try to do so in the clear, which is "not a good thing":
Ah, I see... SASL PLAIN authentication sends the password on the first
pass. Hm. That's actually pretty annoying; I like AUTHINFO a lot better
since it allows the server to abort the authentication without exposing
the password if something is wrong with the user. Clients using SASL
PLAIN can authenticate to the wrong server and hence give away their
password rather than just getting an unknown user error.
Well, given that, I can see the need to issue LIST EXTENSIONS before
authenticating with SASL PLAIN because SASL PLAIN is (arguably) broken in
the way that it does authentication negotiation. Sigh.
But this is something that could be dealt with in the writeup for AUTHINFO
SASL.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list