[NNTP] Extension snapshots 2
Clive D.W. Feather
clive at demon.net
Tue Jan 11 01:33:37 PST 2005
Russ Allbery said:
>> But if Russ feels we should leave it open and always advertise SASL, then
>> I won't argue.
>
> Isn't the key bit in the above the "same list of SASL mechanisms" part? I
> don't see any way of keeping that bit in without saying something like the
> above, since there are other circumstances besides negotiating a security
> layer via SASL where the advertised list *can* change. (As a result of
> STARTTLS, for instance.)
True. All I'm asking is that the SASL capability remain advertised.
How about:
The server MUST advertise the SASL capability throughout the session,
even if no longer advertising the AUTHINFO capability. It MUST NOT
change the list of SASL mechanisms as an effect of the AUTHINFO
command, even if this establishs a security layer. (As described by
[SASL], this then enables the client to to detect a possible active
down-negotiation attack.) It MAY change the list as an effect of
other commands or extensions (e.g. [NNTP-TLS]).
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list