[NNTP] draft-ietf-nntpext-authinfo-04

Clive D.W. Feather clive at demon.net
Wed Sep 29 01:23:08 PDT 2004 

Russ Allbery said:
>> I just submitted the -04 revision of AUTHINFO which can be previewed
>> here:
> 
>> http://www.oceana.com/ftp/drafts/draft-ietf-nntpext-authinfo-04.txt
> 
> Excellent!  Please, everyone, look this over and see if there are any
> major issues left.  If no one objects, I will advance this to IETF Last
> Call on Thursday or Friday.

Not a major issue, but I don't think the last two paragraphs of 2.2
correctly reflect the discussions we've had.

Since you can only ever do one successful AUTHINFO, the capability isn't
available *at all* afterwards. Therefore the options are either:
* don't show AUTHINFO, matching reality
* show AUTHINFO, matching [SASL].
Since we've already agreed on the latter, let's require the entire AUTHINFO
capability to be the same as before authorisation - that way, if the
information *is* of use in detecting attacks, it's there.

So replace these two paragraphs with:

    Note that a successful AUTHINFO command MAY cause the output of
    the LIST EXTENSIONS command to change. However, the AUTHINFO
    capability MUST continue to be listed with the same arguments as
    immediately before the authentication, notwithstanding the fact
    that no further AUTHINFO commands may be issued (this is a superset
    of the recommendation in [SASL] and can help in detecting an active
    down-negotiation attack).

Possibly this can be merged with the previous paragraph ("After an AUTHINFO
command ... 502 response.").

[Note I've deleted the reference to 2.4.2; I can't see any need for it.]

2.4.2 "When both TLS ..."; I said in a previous message that this could be
re-read, and suggested other wording for it.

2.4.3 third and fourth examples: change "base64-encoded data is sent" to
"base64-encoded data is actually sent".

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list