[NNTP] Extension snapshots 2

Russ Allbery rra at stanford.edu
Tue Jan 11 15:22:15 PST 2005


Clive D W Feather <clive at demon.net> writes:

> True. All I'm asking is that the SASL capability remain advertised.

> How about:

>     The server MUST advertise the SASL capability throughout the session,
>     even if no longer advertising the AUTHINFO capability. It MUST NOT
>     change the list of SASL mechanisms as an effect of the AUTHINFO
>     command, even if this establishs a security layer. (As described by
>     [SASL], this then enables the client to to detect a possible active
>     down-negotiation attack.) It MAY change the list as an effect of
>     other commands or extensions (e.g. [NNTP-TLS]).

This is fine with me.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list