[NNTP] Comments on draft-...-authinfo-03

Clive D.W. Feather clive at demon.net
Tue Sep 28 05:55:58 PDT 2004 

Jeffrey M. Vinocur said:
>>> You should keep in mind a couple underlying assumptions that are true
>>> in other SASL-using protocols perhaps more than NNTP.  One is that the
>>> client may have some way to verify the server's identity after the
>>> connection is established.
>> External to the link or internal?
> I was purposefully vague because I didn't want to look up specifics, 
> but in principle the SASL negotiation can be bidirectional, similar to 
> the way a web browser would verify a TLS server certificate.

Okay.

>>> Another is that the data passing over the
>>> connection is more valuable than the user's password itself.
>> Hmm. Surely if you've got the password then you have access to the 
>> data at
>> your leisure?
> Not if it's a one-time pad or a challenge-response mechanism :-)

Point.

>>> When the server's LIST
>>> EXTENSIONS response arrives, the client TCP stack discards it as a
>>> duplicate.
>> Only if it's exactly the same length. If it isn't, the two ends will now
>> be out of sync.
>>    Attacker sends  "AUTHINFO SASL:WEAK" as the last item in the response.
>>    Server sends "AUTHINFO SASL:WEAK,MEDIUM,STRONG" as the last item.
> *shrug*  So the attacker sends "AUTHINFO SASL:WEAK FOOBAR GZNORT" 
> instead,

Only if it knows the exact length of the string. Okay, it can make a
separate connection to the server to see, but it's starting to get a bit
threadbare as a threat.

>>>> Question to the group: would it be worth adding a flag to show that
>>>> authentication is no longer possible? Something like:
>>>>
>>>>    AUTHINFO - USER SASL:EXTERNAL
>>>

> *nod*
> 
> It's a bit more of a change late in the game, but what do you think 
> about putting the - before each of the forbidden auth types?  Say, 
> "AUTHINFO -USER -SASL:EXTERNAL".

Hmm. That would also allow a server to say "I grok this method but aren't
permitting it" at an earlier stage:

    AUTHINFO -USER SASL:EXTERNAL

If Russ will go for it, I'd be happy.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list