[NNTP] Extension snapshots 2
Clive D.W. Feather
clive at demon.net
Fri Jan 7 07:45:20 PST 2005
Ken Murchison said:
> In
> agreement with [SASL], if a security layer is established as part of
> the authentication, the server MUST continue to advertise the SASL
> capability in response to a CAPABILITIES command with the same list of
> SASL mechanisms as before authentication (thereby enabling the client
> to detect a possible active down-negotiation attack)."
Can we drop the condition, and just have the SASL capability be advertised
throughout the session?
If it's a useful technique at all (I remain skeptical) then leave the
possibility open no matter who's providing the security.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list