[NNTP] draft-ietf-nntpext-authinfo-05 & draft-ietf-nntpext-tls-nntp-03

Clive D.W. Feather clive at demon.net
Mon Oct 18 03:33:58 PDT 2004 

Ken Murchison said:
>> In authinfo-05, section 2.2, para 5 (of 7) I don't see the point of the
>> last sentence and in particular the SHOULD. See the similar comment on the
>> TLS document for details.
> This dovetails with the fact that the capabilties might change after 
> auth/tls and the client should check for this.  Russ, care to comment? 
> I'm not married to this at this point, so I'll let the chair decide.

See my response to Russ.

>> I still think the last paragraph of 2.2 does things wrong; I've given
>> my preference several times, so I won't repeat it again.
> I apologize, I must have lost track of this in the threads or assumed 
> that we had a consensus (all 4 of us :) otherwise.  Can you reiterate
> your argument and suggested text?

After a successful AUTHINFO command, the client MUST NOT issue another one.
Therefore the contents of the LIST EXTENSIONS response AUTHINFO line is
largely academic; its only use is as information as to what *was*
available. This has been accepted for SASL, but I believe it applies
equally well in every case if it applies at all.

So change the last paragraph of 2.2 to:

     After a successful authentication, the client MUST NOT issue another
     AUTHINFO command in the same session and a server MUST reject any
     further AUTHINFO commands with a 502 response.  For this reason,
     once authentication has happened the AUTHINFO line in the results of
     LIST EXTENSIONS is effectively irrelevant. Per [SASL], in order to
     allow the client to determine what options were available, the
     server MUST return the same arguments in this line as it would have
     done immediately before the successful authentication; inter alia
     this assists the detection of a possible active down-negotiation
     attack.

[Note that this swallows the first sentence of the paragraph two above; I'm
already arguing to lose the second sentence.]

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list