[ietf-nntp] Re: SASL capability
Clive D.W. Feather
clive at demon.net
Fri Jun 11 01:26:28 PDT 2004
Charles Lindsey said:
>> The theory goes something like:
>
>> Client asks for mechanism list
>> Client picks "Best" mechanism, and authenticates
>> If client now has a protection layer (integrity or encryption), it can ask
>> for the list of mechanisms again.
>> If there is now a stronger mechanism available, then presumably you've
>> detected a MITM (note, there may be a weaker mechanism available as well,
>> but generally the idea is that the list shouldn't change at all).
>
> That sounds fine if encryption has been negotiated (assuming it cannot be
> broken by the MITM), but if only integrity has been established and the
> MITM is still there, then surely he can continue to report bogus lists of
> extensions? Or are we only trying to make it proof against a passive MITM?
It sounds like, to me, that protecting against a subset of MITM attacks
doesn't justify breaking our paradigm for reporting extensions.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list