[NNTP] Notes on auxiliary documents
Russ Allbery
rra at stanford.edu
Tue Nov 30 19:48:23 PST 2004
Jeffrey M Vinocur <jeff at litech.org> writes:
> Y'know, there's a subtly here I can't quite wrap my head around.
> Everyone seems to like the "advertising AUTHINFO is enough to
> effectively eliminate the 480 response" idea, if I'm reading the list
> right. But have we come to a conclusion that reactive authentication is
> bad? I mean, what if the server advertises AUTHINFO because some users
> can authenticate, but most users won't need to. Then the client
> software still has no way to know if it should prompt the user for
> authentication parameters or not. So I guess we still need 480.
I think we still need 480.
It's not at all clear to me how useful it really will be going forward,
but this seems to be something we can let the marketplace decide. If in
five years everyone is just authing on initial connection, we could look
at getting rid of it.
> I think it would be hard to do so as well. But in the "current
> practice" realm, the client has no way of telling if the server supports
> AUTHINFO at all, and so it might appear as a "failure of unsolicited
> authentication" in that case. If you think we don't need to document
> this, I certainly don't feel strongly about it...the existing text reads
> as it does really by accident.
Yeah, I wouldn't worry about this. I think we can safely require the
server to accept AUTHINFO at any point until the client has authenticated.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list