[ietf-nntp] I-D ACTION:draft-ietf-nntpext-authinfo-00.txt
Russ Allbery
rra at stanford.edu
Tue May 25 23:29:02 PDT 2004
Clive D W Feather <clive at demon.net> writes:
> I think we're interpreting words in slightly different ways. For
> AUTHINFO, we can say in this document that the server MUST NOT send 480.
> However, I can see nothing that forbids the server responding 480 to QUIT
> or LIST EXTENSIONS. We need to change the base document to address that.
Oh, I see your point.
Hm. Yeah, I'm not sure that it matters enough to go to the trouble; some
things should be pretty obvious. I guess the only one that I can see some
worry about is LIST EXTENSIONS, just because I can see someone making that
error by mistake.
>> I think safe is overstating it. You're still exposing the password to
>> the server; if the user entered the wrong username/password pair,
>> refusing to pipeline AUTHINFO will mean not exposing that invalid
>> password to the server.
> Not if the server requires the password before checking, which is after
> all considered Best Practice (so as not to allow people to determine
> valid user names)!
True. I can come up with more specific circumstances, but yeah, it mostly
matters for the non-TLS case where AUTHINFO USER is going to get rejected
with a different error.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list