[NNTP] Notes on auxiliary documents

Clive D.W. Feather clive at demon.net
Thu Nov 11 01:58:46 PST 2004 

A cluster of notes on the three auxiliary documents (authinfo, tls, and 
streaming). Mostly editorial.


General
=======
The word "draft" shouldn't be used to refer to the document itself. It 
should be "specification" or "document".

The core specification never includes generic responses in the pro-forma 
sections for each command (unless they have some unusual meaning, such 
as 502 for MODE READER). They *are* referred to in the description to 
explain how to report various situations. The one case I have 
specifically noted is in STARTTLS, but there may be others.


authinfo-05
===========
Section 1 para 1: change "has traditionally provided public access" to 
"has traditionally been used to provide public access". [NNTP is the 
mechanism, not the agent.]

Next para, last sentence, I would reword as:

    Due to their ubiquity they are formalized in this specification but,
    because of their insecurity, only for use ...

Section 2.2: "Servers are not required to accept unsolicited 
authentication". I don't follow this. Since the server advertises its 
conformance with this document (through CAPABILITY / LIST EXTENSIONS), 
it is soliciting authentication. The only way I can read this is that, 
despite that, authentication is not permitted *until* a 480 happens. Um:

    [C] LIST EXTENSIONS
    [S] 202
    [S] AUTHINFO USER SASL:EXTERNAL
    [S] .
    [C] AUTHINFO USER fred flintstone
    [S] 481 unsolicited authentication rejected (or is it 503?)
    [C] GROUP secret.group
    [S] 480 need to authenticate
    [C] AUTHINFO USER fred flintstone
    [S] 281 Hello Fred.

Surely that can't be desirable?

Section 2.4.2: I know that we've discussed this before, but I think the 
code for "don't handle this mechanism" shouldn't be 501 but, rather, 503 
or something AUTHINFO-specific.

Just above the wording you changed, I suggested that "if a security 
layer as part of the authentication," be deleted after "In agreement 
with [SASL]". If this ability is useful (I'm still agnostic), then it 
could be useful in other circumstances as well.

Sections 2.4.2 and 6: we say that the server MUST discard all knowledge. 
Does this include NNTP state? E.g.

    [C] GROUP a.group
    [S] 211 10 555 666 a.group selected
    [C] AUTHINFO SASL MECHANISM
    [SASL details omitted, security layer created]
    [S] 281
    [C] ARTICLE 10

Does the server respond with 220 or 412? Whichever the answer is, it 
needs to be made more clear.

Section 3.1: in the last paragraph, insert ", both exclusive, after 
"between the first ... CRLF".

Section 6, last paragraph: add something like "The minimum strength 
acceptable will, of course, depend on specific circumstances and is 
outside the scope of this specification." Otherwise it implies there's 
some definition of "weak" which we're hiding (just to be perverse?).


streaming-02
============

I notice that you switch between "pipeline", "stream", and "asynchronous 
transfer" with no apparent consistency. We agreed to call the basic 
concept "pipelining", and that's what the core document calls it. You 
may want to revisit this.

Section 1 (and possibly elsewhere) talks about "server-to-server". NNTP 
doesn't have server-to-server links. Again, we should be consistent and 
only say "peer-to-peer" and "client-to-server".

Section 2.3.2 gives too much emphasis on non-conforming implementations. 
Replace it completely with something very similar to:

    On a server which conforms to this specification, the MODE STREAM
    command MUST return a 203 response (or 501 if an argument is given)
    and MUST NOT have any other effect.

    Historic note: some old server implementations did not advertise
    streaming in the response to LIST EXTENSIONS but provided CHECK and
    TAKETHIS commands similar or identical to those in this document.
    Clients could test for this by issuing the MODE STREAM command; if
    it succeeded, pipelining was possible. However, even if the command
    succeeded it does not mean that the CHECK and TAKETHIS commands
    conform to this specification. Clients SHOULD use the CAPABILITY
    command to determine server capabilities.

Section 2.4.2: is "another client is sending the same article" the best 
example? Surely "disc full" or something like that would be better.


tls-03
======

Section 2.2.2 para 6: The text "The TLS negotiation begins ... response" 
only handles one direction; compare the corresponding text in AUTHINFO 
SASL. It should be something like "For the server to client direction, 
the TLS negotiation ... response; for client to server it begins with 
the next octet sent after the CRLF at the end of the command."

In the following paragraph, surely "MUST discard" should be "SHOULD NOT 
rely on", since the client can still make heuristic decisions.

Section 5 para 3: you've got two sentences beginning "Further,"; I would 
omit the first instance. And the last sentence needs something like "or 
vice versa" at the end.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list