|
A WG member has asked whether the server should drop all knowledge of the connection, i.e. return to anonymous state, if it gets a StartTLS request on a connection that has successfully bound using the simple method. I believe that the intent of section 5 the authmeth draft is clear on this point: if the association is in state S4 (authenticated but no TLS) and the client performs action A3 (sends a Start TLS request), then the next association state is S5 (authenticated with TLS).
My understanding of existing implementations leads me to believe that this is the generally accepted understanding of the way this should work. I can't see any serious security issues with maintaining this behavior. Therefore, I propose that we do not change this requirement. I will consider adding wording to clarify this point if WG members request it.
Please respond with your opinions.
Thanks,
Roger |