[ietf-nntp] draft-ietf-nntpext-tls-nntp-01.txt
Clive D.W. Feather
clive at demon.net
Tue Mar 9 00:51:27 PST 2004
Russ Allbery said:
>> (2) involves providing an explicit indication of a problem. (1) doesn't;
>> the draft even points out that a client might reasonably assume it was a
>> transient network failure and try again. I can't see any sensible way
>> for a client to determine which of the two applies if the connection
>> closes during a STARTTLS command.
> The client knows that the server requested more encryption and the client
> turned it down, doesn't it? Hm.
No. At least, I don't think so.
I don't know the details of TLS, so I don't know whether one side advertises
capabilities and the other side picks, or if one side requests something
and the other side makes a counter-offer, or what. But what the present
text says is, summarised:
- the negotiation was successful;
- the server is unhappy with the situation.
It's not at all clear to me that the client *knows*, through TLS, why the
server is unhappy, and the text even says that:
the client may interpret this behavior as a network problem and
immediately reconnect and issue the same command sequence
>> In fact, thinking again, it would appear to me that the optimal behaviour
>> for the server in this situation is:
>> - respond to the first NNTP command with "483 not enough security"
>> - respond to the second NNTP command with "400 not enough security".
>> That minimizes the resource tie-up mentioned as a problem with (2) while
>> making it clear there's a problem.
> This is a reasonable alternative solution to propose. I wouldn't mind
> seeing that in the draft.
This would be my preference *if* the present flow of control is set in
stone.
However, I'm a little bothered by the asymmetry between TLS failure, where
the *server* moves next (issuing a response code), and success, where the
*client* moves next (issuing a command). If this isn't cast in stone, then
I would strongly suggest making it always the server. This has an
additional benefit: you can specify that, after TLS negotiation ends
successfully, both sides return to the NNTP initial connection state with
the server issuing an initial greeting. I suspect this will make things
easier for client design.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | *** NOTE CHANGE ***
Demon Internet | WWW: http://www.davros.org | Fax: +44 870 051 9937
Thus plc | | Mobile: +44 7973 377646
More information about the ietf-nntp
mailing list