[NNTP] Notes on auxiliary documents
Russ Allbery
rra at stanford.edu
Wed Dec 1 11:29:01 PST 2004
Charles Lindsey <chl at clerew.man.ac.uk> writes:
> Yes, but I explained why the usual SASL spirit might not apply to NNTP
> in my message of Nov 18th.
> Most SASL application are there to prevent the Bad Guy from stealing MY
> resources (e.g. money from my bank account). But NNTP is different; SASL
> is there for protecting the server's resources from being used by the
> Bad Guy. Preserving state across authentication does no harm in that
> scenario, whereas _not_ preserving state _does_ do harm in the case I
> outlined, where I am suddenly asked to authenticate in the middle of
> reading a group because I suddenly encountered an article cross-posted
> to some other group with special restrictions on it.
I'm afraid that I don't find this argument particularly convincing. The
point is to preserve the connection from outside tampering, and the reason
for discarding all state is that any amount of tampering might have
happened before the security layer was negotiated.
I'd be inclined to discard all server state except for the mode switch
when a security layer is negotiated, but I'd love to hear other opinions.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list