[NNTP] draft-ietf-nntpext-authinfo-04

Clive D.W. Feather clive at demon.net
Mon Oct 4 02:58:13 PDT 2004


>>> Since you can only ever do one successful AUTHINFO, the capability isn't
>>> available *at all* afterwards. Therefore the options are either:
>>> * don't show AUTHINFO, matching reality
>>> * show AUTHINFO, matching [SASL].
>>> Since we've already agreed on the latter, let's require the entire AUTHINFO
>>> capability to be the same as before authorisation - that way, if the
>>> information *is* of use in detecting attacks, it's there.

>> Actually, since this is a SASL-only issue I didn't feel that it made any 
>> sense to continue to list USER.  That being said, I won't argue strongly 
>> either way.  Opinions?
> 
> Well, if this defence works at all it might work for other mechanisms than
> SASL. So better to keep the line the same rather than just show the SASL
> stuff.

Let me clarify my point.

Suppose somebody invents an authentication and security mechanism based on
PGP rather than SASL. We might then see:

    AUTHINFO USER SASL:CRAM-MD5,GSSAPI PGP:SHA-1,WEB-OF-TRUST,3DES

(never mind what this means for now). The argument about detecting a
down-negotiation attack applies equally well here, so we'd want this
capability to be shown as well.

So simplest just to require the line to stay the same as before
authentication in all situations. If we're going to change it at all, let's
add the "not available" flag I mentioned before.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |



More information about the ietf-nntp mailing list