ietf-nntp LIST EXTENSIONS

Ken Murchison ken at oceana.com
Wed Sep 10 08:27:15 PDT 2003 

Clive D.W. Feather wrote:

> Ken Murchison said:
> 
>>1. If clients aren't going to use the extension discovery mechanism (or 
>>we don't recommend that they do), why even bother having it?  Just throw 
>>it out and let clients go back to the trial-n-error method.
> 
> 
> I don't have a problem with "recommend". But "SHOULD" is rather stronger
> than that, and that's what my objection - at least - is about.

Per RFC 2119:

3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
    may exist valid reasons in particular circumstances to ignore a
    particular item, but the full implications must be understood and
    carefully weighed before choosing a different course.

> There will be times when a discovery mechanism is useful. I'm just saying
> that it shouldn't be required every time, just left for when it *is*
> useful.
> 
> 
>>2. IMO its bad form for a client to NOT use it.  Why would I try a bunch 
>>of commands (each with a roundtrip) just to find out that they aren't 
>>supported, when in one roundtrip I can discover what I can and can't do? 
> 
> 
> It's a question of tradeoffs. If 99% of servers provide OVER, for example,
> what's the point in using LIST EXTENSIONS to check? Or if
> my.favourite.server has offered STARTTLS the last 10 times I tried, what's
> the point in checking before trying again. I don't think our wording should
> oppose such approaches *when done properly*.

SHOULD doesn't not oppose that at all.
> 
> 
>>Obviously, we can mandate good behavior, 
>>but why not encourage it?
> 
> 
> Um, did you mean "can not mandate"? If so, then we're in violent agreement.

Yes, I meant "can not mandate".  Brain faster (or slower depending on 
your viewpoint) than fingers.


>>3. If we're going to strongly encourage LIST EXTENSIONS be used before 
>>AUTHINFO (for security reasons),
> 
> 
> I haven't seen an argument for this.

See the other thread.  Its a security issue.  Sending plaintext 
passwords to a server which doesn't accept them is bad.


> The term "SHOULD" has a specific meaning in RFCs, as you know. That meaning
> is far stronger than "encourage".
> 
> 
>>All of the similar messaging protocols (IMAP, POP3, SMTP) have 
>>capability discovery commands, and clients are encouraged to and do use 
>>them.
> 
> 
> SMTP is special in that the capability discovery command replaces the
> initial greeting command. I see nothing in RFC 2449 (POP3 extensions)
> suggesting that it SHOULD (note capitals) be used. I haven't looked at
> IMAP.

I haven't looked either.  Maybe its just common sense, or me being a 
pain in the ass.  I'm not going to put up a big fight.  My main concern 
is avoiding clients doing stupid things like exposing a user's password 
when the server won't accept it.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list