[NNTP] draft-ietf-nntpext-authinfo-04
Russ Allbery
rra at stanford.edu
Wed Sep 29 11:56:47 PDT 2004
Ken Murchison <ken at oceana.com> writes:
> Clive D.W. Feather wrote:
>> So replace these two paragraphs with:
>> Note that a successful AUTHINFO command MAY cause the output of
>> the LIST EXTENSIONS command to change. However, the AUTHINFO
>> capability MUST continue to be listed with the same arguments as
>> immediately before the authentication, notwithstanding the fact
>> that no further AUTHINFO commands may be issued (this is a superset
>> of the recommendation in [SASL] and can help in detecting an active
>> down-negotiation attack).
>> Possibly this can be merged with the previous paragraph ("After an
>> AUTHINFO command ... 502 response.").
>> [Note I've deleted the reference to 2.4.2; I can't see any need for it.]
> Actually, I intended to remove the last paragraph entirely and
> apparently didn't. Would removing it be sufficient, or do you still
> want to address this in some way?
Removing it entirely would imply that LIST EXTENSIONS should not change
following a successful AUTHINFO command, yes? That seems to fine to me; I
don't have any trouble requiring that even extensions only usable while
authenticated should be advertised in the unauthenticated state and just
return the appropriate error code if used unauthenticated.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list