[NNTP] Comments on draft-...-authinfo-03
Clive D.W. Feather
clive at demon.net
Wed Sep 22 07:41:46 PDT 2004
Ken Murchison said:
>>>>2.2.2 para "After a security layer ...": why must the SASL mechanism list
>>>>be the same? Why can't new ones be added?
>>>
>>>This is to help detect man in the middle attacks.
[...]
Following Jeffrey's explanation I now understand the attack that you're
defending against, though I wouldn't call it "Man-in-the-Middle".
> Anyone implementing this extension will have to read RFC 2222bis, so I
> don't want to repeat what is already dicussed there:
>
> In order to detect Man-in-the-middle (MITM) attacks
You may want to bring the terminology discussion to whoever is working on
2222bis.
> New
> protocol profiles SHOULD require servers to make the list of SASL
> mechanisms available for the initial authentication available to the
> client after security layers are established.
Fine.
> I suppose a reference to this text wouldn't hurt however.
I'd be happy with:
In agreement with [SASL], after a security layer is established
the server MUST continue to advertise the AUTHINFO capability with
the same arguments as before authentication.
>> Question to the group: would it be worth adding a flag to show that
>> authentication is no longer possible? Something like:
>>
>> AUTHINFO - USER SASL:EXTERNAL
>
> Or we could just ignore a SHOULD in RFC 2222bis and not display the
> AUTHINFO capability at all after authentication. But I don't think this
> is a good idea.
I'm happy to show the information, though I think it's better being flagged
(so that a naive client [author] doesn't think that AUTHINFO is valid at
this point).
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list