[NNTP] Comments on draft-...-authinfo-03
Clive D.W. Feather
clive at demon.net
Tue Sep 28 05:55:58 PDT 2004
Jeffrey M. Vinocur said:
>>> You should keep in mind a couple underlying assumptions that are true
>>> in other SASL-using protocols perhaps more than NNTP. One is that the
>>> client may have some way to verify the server's identity after the
>>> connection is established.
>> External to the link or internal?
> I was purposefully vague because I didn't want to look up specifics,
> but in principle the SASL negotiation can be bidirectional, similar to
> the way a web browser would verify a TLS server certificate.
Okay.
>>> Another is that the data passing over the
>>> connection is more valuable than the user's password itself.
>> Hmm. Surely if you've got the password then you have access to the
>> data at
>> your leisure?
> Not if it's a one-time pad or a challenge-response mechanism :-)
Point.
>>> When the server's LIST
>>> EXTENSIONS response arrives, the client TCP stack discards it as a
>>> duplicate.
>> Only if it's exactly the same length. If it isn't, the two ends will now
>> be out of sync.
>> Attacker sends "AUTHINFO SASL:WEAK" as the last item in the response.
>> Server sends "AUTHINFO SASL:WEAK,MEDIUM,STRONG" as the last item.
> *shrug* So the attacker sends "AUTHINFO SASL:WEAK FOOBAR GZNORT"
> instead,
Only if it knows the exact length of the string. Okay, it can make a
separate connection to the server to see, but it's starting to get a bit
threadbare as a threat.
>>>> Question to the group: would it be worth adding a flag to show that
>>>> authentication is no longer possible? Something like:
>>>>
>>>> AUTHINFO - USER SASL:EXTERNAL
>>>
> *nod*
>
> It's a bit more of a change late in the game, but what do you think
> about putting the - before each of the forbidden auth types? Say,
> "AUTHINFO -USER -SASL:EXTERNAL".
Hmm. That would also allow a server to say "I grok this method but aren't
permitting it" at an earlier stage:
AUTHINFO -USER SASL:EXTERNAL
If Russ will go for it, I'd be happy.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list