[NNTP] Extension snapshots 2

Ken Murchison ken at oceana.com
Tue Jan 4 13:25:09 PST 2005 

Russ Allbery wrote:

> Ken Murchison <ken at oceana.com> writes:
> 
> 
>>OK, given that all we care about is the advertising of the capability,
>>can we just rely on the base doc and remind people with my alternative
>>text:
> 
> 
>>"The capability list returned in response to a CAPABILITIES command
>>received after authentication MAY be different that the list returned
>>before authentication.  For example an NNTP server may not want to
>>advertise support for a specific extension unless a client has been
>>authenticated.  Likewise, servers are not permitted to advertise the
>>MODE_READER capability after authentication (see X.X of [NNTP])."
> 
> 
> The only reason why I'm leery of that approach is that sending MODE READER
> after authentication could potentially break something (if you
> authenticate to the transit server and then switch to the reader server,
> for instance).  Of course, a client shouldn't send MODE READER unless
> MODE_READER is advertised as a capability -- maybe that's all we need.

OK, how about this?  I think I state everything that you want as well as 
refer to the base doc.

"After a successful authentication, the client MUST NOT issue another
AUTHINFO command in the same session.  A server MUST NOT return the
AUTHINFO capability in response to a CAPABILITIES command and a server
MUST reject any subsequent AUTHINFO commands with a 502 response.
Additionally, per section X.X of [NNTP], the client MUST NOT issue a
MODE READER command after authentication and a server MUST NOT
advertise the MODE_READER capability.

In agreement with [SASL], if a security layer is established as part
of the authentication, the server MUST continue to advertise the SASL
capability in response to a CAPABILITIES command with the same list of
SASL mechanisms as before authentication (thereby enabling the client
to detect a possible active down-negotiation attack).

The capability list returned in response to a CAPABILITIES command
received after authentication MAY be different that the list returned
before authentication.  For example, an NNTP server may not want to
advertise support for a specific extension unless a client has been
authenticated."



-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list