[NNTP] Extension snapshots 2

Ken Murchison ken at oceana.com
Tue Jan 4 11:41:29 PST 2005


Ken Murchison wrote:

> 
> Section 2.2 ("Authenticating with the AUTHINFO Extension")
> 
> "After a successful authentication, the client MUST NOT issue another
> AUTHINFO command or a MODE READER command in the same session.  A
> server MUST NOT return the AUTHINFO or MODE_READER capabilities in
> response to a CAPABILITIES command and a server MUST reject any
> subsequent AUTHINFO or MODE READER commands with a 502 response.  In
> agreement with [SASL], if a security layer is established as part of
> the authentication, the server MUST continue to advertise the SASL
> capability in response to a CAPABILITIES command with the same list of
> SASL mechanisms as before authentication (thereby enabling the client
> to detect a possible active down-negotiation attack)."

As an alternative to the above, I could leave the paragraph as-is (no 
mention of MODE READER) and augment the following paragraph to read:

"The capability list returned in response to a CAPABILITIES command
received after authentication MAY be different that the list returned
before authentication.  For example an NNTP server may not want to
advertise support for a specific extension unless a client has been
authenticated.  Likewise, mode-switching servers are not permitted to 
advertise the MODE_READER capability after authentication."


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp



More information about the ietf-nntp mailing list