[NNTP] Extension snapshots 2
Russ Allbery
rra at stanford.edu
Tue Jan 4 13:25:07 PST 2005
Ken Murchison <ken at oceana.com> writes:
> OK, how about this? I think I state everything that you want as well as
> refer to the base doc.
> "After a successful authentication, the client MUST NOT issue another
> AUTHINFO command in the same session. A server MUST NOT return the
> AUTHINFO capability in response to a CAPABILITIES command and a server
> MUST reject any subsequent AUTHINFO commands with a 502 response.
> Additionally, per section X.X of [NNTP], the client MUST NOT issue a
> MODE READER command after authentication and a server MUST NOT advertise
> the MODE_READER capability.
> In agreement with [SASL], if a security layer is established as part of
> the authentication, the server MUST continue to advertise the SASL
> capability in response to a CAPABILITIES command with the same list of
> SASL mechanisms as before authentication (thereby enabling the client to
> detect a possible active down-negotiation attack).
> The capability list returned in response to a CAPABILITIES command
> received after authentication MAY be different that the list returned
> before authentication. For example, an NNTP server may not want to
> advertise support for a specific extension unless a client has been
> authenticated."
Looks great to me.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list