[NNTP] Extension snapshots 2
Ken Murchison
ken at oceana.com
Fri Jan 7 08:25:18 PST 2005
Clive D.W. Feather wrote:
> Ken Murchison said:
>
>>In
>>agreement with [SASL], if a security layer is established as part of
>>the authentication, the server MUST continue to advertise the SASL
>>capability in response to a CAPABILITIES command with the same list of
>>SASL mechanisms as before authentication (thereby enabling the client
>>to detect a possible active down-negotiation attack)."
>
>
> Can we drop the condition, and just have the SASL capability be advertised
> throughout the session?
>
> If it's a useful technique at all (I remain skeptical) then leave the
> possibility open no matter who's providing the security.
Its *really* only useful iff a security layer has been negotiated.
Otherwise an attacker can falsify the list of SASL mechanisms both
before and after AUTHINFO SASL without the client knowing it.
But if Russ feels we should leave it open and always advertise SASL,
then I won't argue.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list