[NNTP] Snapshot 6
Clive D.W. Feather
clive at demon.net
Tue Jan 11 01:56:17 PST 2005
Ken Murchison said:
> I believe I have discovered a problem with the capability modifier
> mechanism. If my server supports AUTHINFO, how do I advertise that
> AUTHINFO USER and AUTHINFO SASL PLAIN require TLS, but all other SASL
> mechanisms can be used without TLS?
>
> We can't/shouldn't have the same capability advertised twice, e.g.:
>
> -483 AUTHINFO USER
> AUTHINFO SASL
> -483 SASL PLAIN
> SASL CRAM-MD5 DIGEST-MD5
Actually, that's how I intended things to be done, and there are examples
saying so. Wording changed to:
The server MUST NOT list the same capability twice in the response
without modifiers or with the same set of modifiers.
> Do we allow modifiers to be interspersed in arguments, e.g.:
>
> AUTHINFO SASL -483 USER
> SASL CRAM-MD5 DIGEST-MD5 -483 PLAIN
That would require us to put a restriction on the form of arguments. I'd
rather not do that.
> Granted, in this case a -483 isn't necessary to tell the client that it
> needs TLS before AUTHINFO USER or AUTHINFO SASL PLAIN, since it can
> infer this by the presence of STARTTLS and the absence of AUTHINFO USER
> and SASL PLAIN.
No, because:
(a) the server might offer XENCRYPT rather than STARTLS;
(b) even after a privacy layer is in effect, there's no requirement that
the server will offer AUTHINFO USER or SASL PLAIN.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list