[NNTP] draft-ietf-nntpext-authinfo-04

Clive D.W. Feather clive at demon.net
Mon Oct 4 02:49:19 PDT 2004 

Ken Murchison said:
>> Since you can only ever do one successful AUTHINFO, the capability isn't
>> available *at all* afterwards. Therefore the options are either:
>> * don't show AUTHINFO, matching reality
>> * show AUTHINFO, matching [SASL].
>> Since we've already agreed on the latter, let's require the entire AUTHINFO
>> capability to be the same as before authorisation - that way, if the
>> information *is* of use in detecting attacks, it's there.
> 
> Actually, since this is a SASL-only issue I didn't feel that it made any 
> sense to continue to list USER.  That being said, I won't argue strongly 
> either way.  Opinions?

Well, if this defence works at all it might work for other mechanisms than
SASL. So better to keep the line the same rather than just show the SASL
stuff.

>> So replace these two paragraphs with:
>> 
>>     Note that a successful AUTHINFO command MAY cause the output of
>>     the LIST EXTENSIONS command to change. However, the AUTHINFO
>>     capability MUST continue to be listed with the same arguments as
>>     immediately before the authentication, notwithstanding the fact
>>     that no further AUTHINFO commands may be issued (this is a superset
>>     of the recommendation in [SASL] and can help in detecting an active
>>     down-negotiation attack).
>> 
>> Possibly this can be merged with the previous paragraph ("After an AUTHINFO
>> command ... 502 response.").
>> 
>> [Note I've deleted the reference to 2.4.2; I can't see any need for it.]
> 
> Actually, I intended to remove the last paragraph entirely and 
> apparently didn't.  Would removing it be sufficient, or do you still 
> want to address this in some way?

I think there are benefits in retaining the text I proposed.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list