[NNTP] LIST EXTENSIONS (again)

Clive D.W. Feather clive at demon.net
Wed Nov 10 00:41:21 PST 2004 

Ken Murchison said:
>>>>Um, just out of interest, doesn't this mean that the argument of a 283
>>>>response is insecure as well?
>>>Yes.  Its designed this way because the client may not yet know what 
>>>security layer(s) the server has selected.  Just like TLS, the security 
>>>layer can't take effect until negotiation has completed.
>>But that's nothing to do with the content of the 283, is it?
> It may.  The last server "challenge" is more than a "negotiation 
> complete" message.  Its typically used for the server to authenticate 
> itself to the client, but *could* be used to say "here's the cipher/MAC 
> that I've agreed to use for the rest of the session".

Okay.

> Actually, now that I think about it none of IMAP, POP or SMTP support 
> "success data" in the response.  Only newer SASL-enabled protocols 
> (LDAP, BEEP?) support this in their SASL profiles.  Nonetheless, the 
> SASL spec states:
> 
> "The security layer takes effect immediately following the last response 
> of the authentication exchange for data sent by the client and the 
> completion indication for data sent by the server."
> 
> I guess the term "completion indication" could be somewhat misleading, 
> but I *think* this is pretty clear that the "success data" response 
> should NOT be encrypted in any way.

I disagree. I read "data", in that quote, as being the low-level exchanges
of the protocol. It says that the client turns on the layer immediately
after sending the last response, and the server immediately after sending
the "completion indication", whatever that is.

Now in NNTP as currently written, the completion indication happens to be
the 281/283 response, so the extra data happens to be within it. But
there's no reason why a protocol can't have the server send data after the
completion response, precisely so that it *is* protected.

I can see that you sometimes need that data to complete setting up the
security layer, which is why I proposed the two-stage response.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list