[NNTP] Snapshot 6

Russ Allbery rra at stanford.edu
Tue Jan 11 10:51:18 PST 2005 

Ken Murchison <ken at oceana.com> writes:

> Technically you're correct, but I find it highly unlikely that a server
> would advertise AUTHINFO and a security layer such as STARTTLS or
> XENCRYPT, but *not* implement AUTHINFO USER or SASL PLAIN under a
> security layer.

Hm, I can actually see a very paranoid Kerberos site simply not allowing
SASL PLAIN no matter what encryption layer is negotiated, requiring all
clients to instead use GSSAPI so that their password never leaves their
system.  I certainly wouldn't expect this to be a common configuration,
but if the site is, say, using Kerberos with smart cards exclusively as
their authentication mechanism, it could happen.

I'm still unhappy with the modifiers for a different reason, though,
namely that it doesn't seem to me like it adds that much useful
information to a client unless we make them mandatory (which I think we're
agreed on not doing).  If something like:

    AUTHINFO SASL
    -480 READER POST

is there, then the client knows it *might* be able to post after
authenticating, but still doesn't know if it actually will be able to post
afterwards since it's going to depend on the credentials presented.  If
this line isn't there and the server just says:

    AUTHINFO SASL
    READER LISTGROUP

then the client doesn't know for certain that authentication *won't* help,
since the server may just not be using modifiers.  So it feels like the
modifiers are both insufficiently precise to allow the client to make
complete decisions as to whether or not to try something, and at the same
time not sufficient to help the client decide *not* to try something.

It seems like the -- modifiers are the only ones that are really explicit
about telling the client that it doesn't need to try things, if they're
present.

I'm not really sure how I'd use these capabilities as a client even if I
wanted to.  Clive, could you possibly sketch out how you anticipate a
client using those capabilities to make decisions?

It still seems like a lot of complexity for little gain to me.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the ietf-nntp mailing list