[NNTP] Re: AUTHINFO and STARTTLS interaction

[Russ Allbery]

Clive D W Feather <clive at demon.net> writes:
> Ken Murchison said:

>> Contrary to what I may have said previously, I don't think we *have* to
>> prevent STARTTLS from being used after AUTHINFO.  As long as we specify
>> in which order the layers are applied (per Section 4, req. 7 of RFC
>> 2222bis), I think we are free to allow STARTTLS before or after
>> AUTHINFO.  I believe that this is something that was discussed in the
>> past and there was support for it.  Do we want to revisit this, or just
>> continue to disallow STARTTLS after AUTHINFO?

> I'd prefer not to have the restriction; IMO it's better for the
> documents to be decoupled as far as possible.

Ken and I have been discussing this some in e-mail with Mark Crispin, and
as a result of that discussion, I realized a few things that I'd forgotten
about this.

First, STARTTLS requires that one discard all authentication information
performed before STARTTLS happens, which means that if one authenticates
and then runs STARTTLS, one ends up unauthenticated again.  This is very
counterintuitive.

Second, if one then wants to re-establish authentication, we end up with
essentially a backdoor way to do re-authentication, something that we'd
previously decided to punt on because it was too complex to describe
properly.

I think those two problems are fatal, or at least more of a headache than
I think we want to deal with at this point.  Please let me know if you
disagree, but barring disagreement, I think we should just leave well
enough alone.

(Mark also had other concerns related to the ease of hijacking
authenticated sessions that aren't protected by a privacy layer and his
poor experience as a client author with reactive authentication in NNTP.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>