[ietf-nntp] Reauthentication?

Jeffrey M. Vinocur jeff at litech.org
Tue Jun 15 15:41:50 PDT 2004


On Tue, 25 May 2004, Ken Murchison wrote:

> Does anyone have strong feelings on either requiring or disallowing 
> reauthentication within a single NNTP session?
>
> Unless there is an existing requirement, I'd like to disallow it since 
> it gets messy when SASL is involved.  None of the other messaging 
> protocols allow it either.

Since no one objected, Ken added the following text:

     After an AUTHINFO command has been successfully completed, no more
     AUTHINFO commands may be issued in the same session.  After a suc-
     cessful AUTHINFO command completes, a server MUST reject any fur-
     ther AUTHINFO commands with a 502 response.

Which raises a followup question.

Is the server permitted to return 480 to a client that has already
authenticated?  I would say not, since we're forbidding reauthentication
(but as there is a not entirely unreasonable argument for doing so in
order to guide the client into knowing when it might still be missing some
access rights, I just wanted to mention it).

If there's no further discussion, and Ken agrees, we'll add text 
forbidding the server to return 480 in the authenticated state.


-- 
Jeffrey M. Vinocur
jeff at litech.org



More information about the ietf-nntp mailing list