[NNTP] LIST EXTENSIONS (again)
Ken Murchison
ken at oceana.com
Tue Nov 9 06:47:24 PST 2004
Clive D.W. Feather wrote:
>>The only issue would be
>>that if a SASL security layer is negotiated, any extensions returned in
>>the response would probably be ignored by the client anyways, since the
>>response is sent in the clear. Only subsequent commands (e.g. LIST
>>EXTENSION) are protected by the SASL security layer.
>
>
> Um, just out of interest, doesn't this mean that the argument of a 283
> response is insecure as well?
Yes. Its designed this way because the client may not yet know what
security layer(s) the server has selected. Just like TLS, the security
layer can't take effect until negotiation has completed.
Typically nothing in the server's final challenge needs to be protected
(at least nothing in the mechs that I'm familiar with).
> Can I make a proposal here? It might sound odd, but bear with me.
>
> *IF* an SASL security layer is negotiated, the server replies with two
> responses:
> * a 180 response meaning "security layer negotiated"
> * the 281 or 283 response as normal
> with the security layer coming into effect at the end of the 180, *not* the
> 28x.
We'd be straying from the beaten path (IMAP, POP, SMTP) with this
proposal which is something that I'd personally like to avoid.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list