[NNTP] Snapshot 6

Clive D.W. Feather clive at demon.net
Tue Jan 11 01:56:17 PST 2005


Ken Murchison said:
> I believe I have discovered a problem with the capability modifier 
> mechanism.  If my server supports AUTHINFO, how do I advertise that 
> AUTHINFO USER and AUTHINFO SASL PLAIN require TLS, but all other SASL 
> mechanisms can be used without TLS?
> 
> We can't/shouldn't have the same capability advertised twice, e.g.:
> 
> -483 AUTHINFO USER
> AUTHINFO SASL
> -483 SASL PLAIN
> SASL CRAM-MD5 DIGEST-MD5

Actually, that's how I intended things to be done, and there are examples
saying so. Wording changed to:

    The server MUST NOT list the same capability twice in the response
    without modifiers or with the same set of modifiers.

> Do we allow modifiers to be interspersed in arguments, e.g.:
> 
> AUTHINFO SASL -483 USER
> SASL CRAM-MD5 DIGEST-MD5 -483 PLAIN

That would require us to put a restriction on the form of arguments. I'd
rather not do that.

> Granted, in this case a -483 isn't necessary to tell the client that it 
> needs TLS before AUTHINFO USER or AUTHINFO SASL PLAIN, since it can 
> infer this by the presence of STARTTLS and the absence of AUTHINFO USER 
> and SASL PLAIN.

No, because:
(a) the server might offer XENCRYPT rather than STARTLS;
(b) even after a privacy layer is in effect, there's no requirement that
    the server will offer AUTHINFO USER or SASL PLAIN.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |



More information about the ietf-nntp mailing list