[NNTP] Comments on draft-...-authinfo-03
Clive D.W. Feather
clive at demon.net
Fri Sep 17 02:39:33 PDT 2004
Ken Murchison said:
>> I suggest that the text at the start of section 2 be called section 2.1.
>> Title perhaps "General concepts".
> Where exactly are you suggesting a split? Are you saying that
> everything before the current 2.1 should be 2.1 and there would be no
> text directly under 2.?
That's right.
>> Page 4, "The server may list ...". Is the server required to reject any
>> AUTHINFO command that is then received? The purpose of this paragraph isn't
>> clear to me.
> I believe the purpose is to prevent clients which are capable of
> AUTHINFO USER from attempting to use it if the server explicitly states
> that its not available.
In which case, shouldn't you say that the server MUST reject these
commands?
> I changed this to read:
>
> "When an NNTP server responds to a client command with a 480 response,
> this indicates the client MUST authenticate and/or authorize in order
> to use that command or access the indicated resource. Use of the
> AUTHINFO command as described below is one such way that a client can
> authenticate/authorize to the server."
That's fine; that addresses my issue.
>> Section 2.2.2 para 4: delete the stuff after ("="). Or replace the entire
>> sentence with:
>>
>> A server challenge that has zero length MUST be sent as a single
>> equals sign ("=") and not omitted.
>
> What is the problem with the existing text?
I felt it had the wrong emphasis, though on re-reading it I'm less bothered
than I was.
Note the next paragraph: it also talks about encoding zero length strings
as = signs, but without attempting to justify why. In fact, we could send
it as a blank line in this case - I'm not suggesting this, just noting it
would be technically possible.
> The only reason we are
> requiring "=" at all in this case *is* to distinguish any empty
> challenge from any trailing junk. All of the other messaging protocols
> simply allow an empty string (no "=") because they don't allow trailing
> junk.
I think this is it. You are looking at it from an SASL point of view: NNTP
wants to do something odd because of an NNTP feature. I'm looking at it
from an NNTP point of view: there's no such thing as an optional argument
in a response, so we need to encode zero-length strings.
[What happens in SMTP and POP3? I thought these allowed text after the
response code.]
As I said, it's a matter of emphasis. I can't find compromise wording, so
I'm not too bothered.
>> Page 9 last (part) para: calling the argument a "response" when it's the
>> very first thing in the exchange sounds odd. Perhaps rather than
>> "challenge" and "response" this text should just talk about "data" or
>> "words" or "negotiations".
> Its called an initial response both in [SASL] and the IMAP, POP3 and
> SMTP SASL profile documents. I'd like to stay consistent.
Okay.
> How about this:
>
> "In NNTP, a server challenge that contains no data is
> equivalent to a zero length challenge and is encoded as a single
> equals sign ("=")."
Fine. [Are there protocols where the two are different? If so, how do they
handle this?]
>> 2.2.2 para "After a security layer ...": why must the SASL mechanism list
>> be the same? Why can't new ones be added?
> This is to help detect man in the middle attacks.
[...]
I'm going to take this to a separate message.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list