[NNTP] Extension snapshots 2
Ken Murchison
ken at oceana.com
Wed Jan 12 07:49:04 PST 2005
Russ Allbery wrote:
> Clive D W Feather <clive at demon.net> writes:
>
>
>>True. All I'm asking is that the SASL capability remain advertised.
>
>
>>How about:
>
>
>> The server MUST advertise the SASL capability throughout the session,
>> even if no longer advertising the AUTHINFO capability. It MUST NOT
>> change the list of SASL mechanisms as an effect of the AUTHINFO
>> command, even if this establishs a security layer. (As described by
>> [SASL], this then enables the client to to detect a possible active
>> down-negotiation attack.) It MAY change the list as an effect of
>> other commands or extensions (e.g. [NNTP-TLS]).
>
>
> This is fine with me.
I like Clive's wording, but it didn't seem to fit seemlessly with the
current text. Here's what I have now, which is a merging and slight
modification of two adjacent paragraphs in pre3:
"In agreement with [SASL], the server MUST continue to advertise the SASL
capability in response to a CAPABILITIES command with the same list of
SASL mechanisms as before authentication (thereby enabling the client
to detect a possible active down-negotiation attack). Other
capabilities returned in response to a CAPABILITIES command received
after authentication MAY be different than those returned before
authentication. For example, an NNTP server may not want to advertise
support for a specific extension unless a client has been
authenticated."
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list