[NNTP] Extension snapshots 2
Russ Allbery
rra at stanford.edu
Fri Jan 7 10:08:37 PST 2005
Ken Murchison <ken at oceana.com> writes:
> Clive D.W. Feather wrote:
>> Ken Murchison said:
>>> In agreement with [SASL], if a security layer is established as part
>>> of the authentication, the server MUST continue to advertise the SASL
>>> capability in response to a CAPABILITIES command with the same list of
>>> SASL mechanisms as before authentication (thereby enabling the client
>>> to detect a possible active down-negotiation attack)."
>> Can we drop the condition, and just have the SASL capability be
>> advertised throughout the session? If it's a useful technique at all
>> (I remain skeptical) then leave the possibility open no matter who's
>> providing the security.
> Its *really* only useful iff a security layer has been
> negotiated. Otherwise an attacker can falsify the list of SASL
> mechanisms both before and after AUTHINFO SASL without the client
> knowing it.
> But if Russ feels we should leave it open and always advertise SASL, then
> I won't argue.
Isn't the key bit in the above the "same list of SASL mechanisms" part? I
don't see any way of keeping that bit in without saying something like the
above, since there are other circumstances besides negotiating a security
layer via SASL where the advertised list *can* change. (As a result of
STARTTLS, for instance.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list