[NNTP] Proposed changes to draft-ietf-nntpext-authinfo-05

Ken Murchison ken at oceana.com
Wed Nov 3 08:44:15 PST 2004 

Changes from Previous Version:

   Changed:
   o  Changed reference to IANA requirements in [NNTP] from Section 8 to
      Section 8.1.

   Clarified:
   o  Rewrote the LIST EXTENSIONS after security layer text yet again.



Relevant text diff:

  After a successful authentication, the client MUST NOT issue another
-AUTHINFO command in the same session and a server MUST reject any
-further AUTHINFO commands with a 502 response.  The client SHOULD send
-a LIST EXTENSIONS command as the first command after a successful
-authentication.
+AUTHINFO command in the same session.  In agreement with [SASL], if a
+security layer is established as part of the authentication, the
+server MUST continue to advertise the AUTHINFO extension label in
+response to a LIST EXTENSIONS command with the same arguments as
+before authentication (thereby enabling the client to detect a
+possible active down-negotiation attack).  Otherwise, the server MUST
+NOT return the AUTHINFO extension label in response to a LIST
+EXTENSIONS command.  In either case, the server MUST reject any
+subsequent AUTHINFO commands with a 502 response.

  The extensions returned in response to a LIST EXTENSIONS command
  received after authentication MAY be different that the list returned
  before authentication.  For example an NNTP server may not want to
  advertise support for a specific extension unless a client has been
  authenticated.
-
-A server MUST NOT return the AUTHINFO extension label in response to a
-LIST EXTENSIONS command received after authentication (since no
-further AUTHINFO commands may be issued), unless a SASL security layer
-was negotiated as part of the authentication.  Per [SASL], if a security
-layer has been established the server MUST continue to advertise the
-AUTHINFO extension label with the same arguments as before
-authentication so that the client may be able to detect a possible
-active down-negotiation attack (note that clients still MUST NOT issue
-further AUTHINFO commands).

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list