[ietf-nntp] I-D ACTION:draft-ietf-nntpext-authinfo-00.txt

Clive D.W. Feather clive at demon.net
Tue May 25 23:17:53 PDT 2004 

Russ Allbery said:
>>>> I would drop the bit about 480, which contradicts the base
>>>> document. Apart from QUIT, a server *can* give 480 to anything,
>>>> including HELP. At least, the client shouldn't fall over if it gets a
>>>> 480, and we've previously suggested 480-to-everything as meaning "you
>>>> need to log in".
>>> I think we need to forbid it for QUIT, AUTHINFO, and LIST EXTENSIONS
>>> for protocol reasons.
>> That requires a change to the base document. Um:
> 
>>     The client MUST be prepared to receive any of these responses for
>>     any command (except, of course, that the server MUST NOT generate a
>>     500 response code for mandatory commands).
> 
> I don't think it does require a change there.  You're just saying that the
> client MUST be prepared to receive a 480 response in places where it
> doesn't make sense, but we're separately saying that sending it doesn't
> make any sense and the server MUST NOT send it.

I think we're interpreting words in slightly different ways. For AUTHINFO,
we can say in this document that the server MUST NOT send 480.

However, I can see nothing that forbids the server responding 480 to QUIT
or LIST EXTENSIONS. We need to change the base document to address that.

>>>> Section 2.1: there's no reason to forbid pipelining.
>>> I disagree.  We forbid pipelining because the client MUST NOT send the
>>> user's password if the server returns 502 in response to AUTHINFO USER.
>> That's a Security Consideration, not an interoperability one.
> MUST NOT is valid for security issues ("to limit behavior which has
> potential for causing harm").

Oh. Okay.

>> Surely MUST NOT is the wrong wording. In particular, pipelining is safe
>> if TLS is in place.
> I think safe is overstating it.  You're still exposing the password to the
> server; if the user entered the wrong username/password pair, refusing to
> pipeline AUTHINFO will mean not exposing that invalid password to the
> server.

Not if the server requires the password before checking, which is after all
considered Best Practice (so as not to allow people to determine valid user
names)!

[I'm now happy for it not to be pipelined, but I think there's an
inconsistency between "don't expose password unnecessarily" and "don't
verify user name until password received".]

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list