ietf-nntp LIST EXTENSIONS
Ken Murchison
ken at oceana.com
Wed Sep 10 08:27:15 PDT 2003
Clive D.W. Feather wrote:
> Ken Murchison said:
>
>>1. If clients aren't going to use the extension discovery mechanism (or
>>we don't recommend that they do), why even bother having it? Just throw
>>it out and let clients go back to the trial-n-error method.
>
>
> I don't have a problem with "recommend". But "SHOULD" is rather stronger
> than that, and that's what my objection - at least - is about.
Per RFC 2119:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
> There will be times when a discovery mechanism is useful. I'm just saying
> that it shouldn't be required every time, just left for when it *is*
> useful.
>
>
>>2. IMO its bad form for a client to NOT use it. Why would I try a bunch
>>of commands (each with a roundtrip) just to find out that they aren't
>>supported, when in one roundtrip I can discover what I can and can't do?
>
>
> It's a question of tradeoffs. If 99% of servers provide OVER, for example,
> what's the point in using LIST EXTENSIONS to check? Or if
> my.favourite.server has offered STARTTLS the last 10 times I tried, what's
> the point in checking before trying again. I don't think our wording should
> oppose such approaches *when done properly*.
SHOULD doesn't not oppose that at all.
>
>
>>Obviously, we can mandate good behavior,
>>but why not encourage it?
>
>
> Um, did you mean "can not mandate"? If so, then we're in violent agreement.
Yes, I meant "can not mandate". Brain faster (or slower depending on
your viewpoint) than fingers.
>>3. If we're going to strongly encourage LIST EXTENSIONS be used before
>>AUTHINFO (for security reasons),
>
>
> I haven't seen an argument for this.
See the other thread. Its a security issue. Sending plaintext
passwords to a server which doesn't accept them is bad.
> The term "SHOULD" has a specific meaning in RFCs, as you know. That meaning
> is far stronger than "encourage".
>
>
>>All of the similar messaging protocols (IMAP, POP3, SMTP) have
>>capability discovery commands, and clients are encouraged to and do use
>>them.
>
>
> SMTP is special in that the capability discovery command replaces the
> initial greeting command. I see nothing in RFC 2449 (POP3 extensions)
> suggesting that it SHOULD (note capitals) be used. I haven't looked at
> IMAP.
I haven't looked either. Maybe its just common sense, or me being a
pain in the ass. I'm not going to put up a big fight. My main concern
is avoiding clients doing stupid things like exposing a user's password
when the server won't accept it.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list