[NNTP] Comments on draft-...-authinfo-03

[Clive D.W. Feather]

Ken Murchison said:
>> I suggest that the text at the start of section 2 be called section 2.1.
>> Title perhaps "General concepts".
> Where exactly are you suggesting a split?  Are you saying that 
> everything before the current 2.1 should be 2.1 and there would be no 
> text directly under 2.?

That's right.

>> Page 4, "The server may list ...". Is the server required to reject any
>> AUTHINFO command that is then received? The purpose of this paragraph isn't
>> clear to me.
> I believe the purpose is to prevent clients which are capable of 
> AUTHINFO USER from attempting to use it if the server explicitly states 
> that its not available.

In which case, shouldn't you say that the server MUST reject these
commands?

> I changed this to read:
> 
> "When an NNTP server responds to a client command with a 480 response,
> this indicates the client MUST authenticate and/or authorize in order
> to use that command or access the indicated resource.  Use of the
> AUTHINFO command as described below is one such way that a client can
> authenticate/authorize to the server."

That's fine; that addresses my issue.

>> Section 2.2.2 para 4: delete the stuff after ("="). Or replace the entire
>> sentence with:
>> 
>>     A server challenge that has zero length MUST be sent as a single
>>     equals sign ("=") and not omitted.
> 
> What is the problem with the existing text?

I felt it had the wrong emphasis, though on re-reading it I'm less bothered
than I was.

Note the next paragraph: it also talks about encoding zero length strings
as = signs, but without attempting to justify why. In fact, we could send
it as a blank line in this case - I'm not suggesting this, just noting it
would be technically possible.

> The only reason we are 
> requiring "=" at all in this case *is* to distinguish any empty 
> challenge from any trailing junk.  All of the other messaging protocols 
> simply allow an empty string (no "=") because they don't allow trailing 
> junk.

I think this is it. You are looking at it from an SASL point of view: NNTP
wants to do something odd because of an NNTP feature. I'm looking at it
from an NNTP point of view: there's no such thing as an optional argument
in a response, so we need to encode zero-length strings.

[What happens in SMTP and POP3? I thought these allowed text after the
response code.]

As I said, it's a matter of emphasis. I can't find compromise wording, so
I'm not too bothered.

>> Page 9 last (part) para: calling the argument a "response" when it's the
>> very first thing in the exchange sounds odd. Perhaps rather than
>> "challenge" and "response" this text should just talk about "data" or
>> "words" or "negotiations".
> Its called an initial response both in [SASL] and the IMAP, POP3 and 
> SMTP SASL profile documents.  I'd like to stay consistent.

Okay.

> How about this:
> 
> "In NNTP, a server challenge that contains no data is
> equivalent to a zero length challenge and is encoded as a single
> equals sign ("=")."

Fine. [Are there protocols where the two are different? If so, how do they
handle this?]

>> 2.2.2 para "After a security layer ...": why must the SASL mechanism list
>> be the same? Why can't new ones be added? 
> This is to help detect man in the middle attacks.
[...]

I'm going to take this to a separate message.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |