[NNTP] Extension snapshots 2
Ken Murchison
ken at oceana.com
Tue Jan 4 11:41:29 PST 2005
Ken Murchison wrote:
>
> Section 2.2 ("Authenticating with the AUTHINFO Extension")
>
> "After a successful authentication, the client MUST NOT issue another
> AUTHINFO command or a MODE READER command in the same session. A
> server MUST NOT return the AUTHINFO or MODE_READER capabilities in
> response to a CAPABILITIES command and a server MUST reject any
> subsequent AUTHINFO or MODE READER commands with a 502 response. In
> agreement with [SASL], if a security layer is established as part of
> the authentication, the server MUST continue to advertise the SASL
> capability in response to a CAPABILITIES command with the same list of
> SASL mechanisms as before authentication (thereby enabling the client
> to detect a possible active down-negotiation attack)."
As an alternative to the above, I could leave the paragraph as-is (no
mention of MODE READER) and augment the following paragraph to read:
"The capability list returned in response to a CAPABILITIES command
received after authentication MAY be different that the list returned
before authentication. For example an NNTP server may not want to
advertise support for a specific extension unless a client has been
authenticated. Likewise, mode-switching servers are not permitted to
advertise the MODE_READER capability after authentication."
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list