Re: POP handling commands given in wrong state

[Paul Smith <paul@pscs.co.uk>]

On 26/07/2011 10:22, Mykyta Yevstifeyev wrote:
> 26.07.2011 11:12, Paul Smith wrote:
>> On 26/07/2011 05:59, Mykyta Yevstifeyev wrote:
>>
>> [ . .  .]
>>
>> If the state was server defined, so that it may change on the 
>> server's decision, rather than by purely bad coding in the client, 
>> then yes, an extended response code may be useful, but when it is 
>> only bad coding in the client which can make it happen - no.
> Paul,
>
> [Adding Alexey Melnikov to CC list; see below.]
>
> I meant just the situation like this.  Eg., when one is using 
> POP3-over-TLS whereas TLS connection is established before POP 
> transaction starts, TLS negotiation may be used instead USER-PASS or 
> AUTH authentication, entering the server into the TRANSACTION state; 
> on the other hand, the server may require authentication under TLS 
> layer, entering AUTHORIZATION state after establishing TLS 
> connection.  I and Alexey Melnikov are currently working on the 
> POP-over-TLS specification 
> (https://datatracker.ietf.org/doc/draft-melnikov-pop3-over-tls/) and 
> the problem is that the client don't know what state is the server in 
> after TLS negotiation.  If the client tries giving USER and received 
> -ERR, it may mean that the user name is unknown or that the user is 
> authenticated already, and the client can't know for sure what does it 
> mean.  Don't you have other idea of indicating the state?

Hmm. I'd say that was a problem with the POP3 over TLS idea

It seems wrong to have to try to do something, and see if you get an 
error to see what you should do next. I know ESMTP does it, and the POP3 
'CAPA' do it, but that's because those things were added as a hindsight 
after the base spec had been deployed. For a new standard to need it 
just feels wrong.

Personally, I'd expect authentication to always be required, even if 
it's redundant. It just seems too much of a change from the base POP3 
spec to skip the authorization stage.

So, you could have the TLS session established which establishes the 
user's identity, and then do
USER anything
+OK
PASS anything
+OK

or you could use the USER/PASS as a part of two factor authentication 
(the certificate is something you have, the username/password is 
something you know)

Going straight from session establishment into transaction state seems 
wrong to me, given the base POP3 spec which POP3-over-TLS is building on.


BTW - why are you looking at POP3-over-TLS? Isn't this idea obsolete - 
isn't the 'STLS' command (RFC 2595) the way we should be doing things 
now? I thought the POP3S way was deprecated.

Note that the RFC 2595 says:
"The STLS command is only permitted in AUTHORIZATION state and the 
server remains in AUTHORIZATION state, even if client credentials are 
supplied during the TLS negotiation." so with STLS you have to 
authenticate (not sure why it's called 'authorization' state when it's 
really 'authentication' state, but that's not relevant) even if the TLS 
has already supplied the user details.