X11 forwarding

[der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>]

I recognize it may be too late to get this into the upcoming RFCs - but
if I don't mention it it definitely won't get in....

In an offlist email exchange about X11 forwarding, I realize there is
an aspect of it which is unsaid in the drafts, but is important:
existing server implementations use the "x11 authentication protocol"
and "x11 authentication cookie" (which really are *authorization*
values than *authentication* values, but never mind) values directly,
rather than providing its own nonce authorization information for the
session and replacing it with the values from the x11-req when
forwarding connections.

The reason I mention this now is that it is critical for security that
client implementors understand this expectation, and there is nothing
in the drafts even alluding to it.  Indeed, I am astonished to hear
that existing servers work this way, but I consider my correspondent
competent to report their behaviour accurately.  Until I was told this,
I had no idea server implementers were that crazy - for, yes, I do
consider it crazy; quite aside from the security aspects of it, it
means that the *client* must know what authorization-protocol-name and
authorization-protocol-data (to give them their X names) are
appropriate on the *server*'s system.

I assume it is too late to fix the semantics.  But is it too late to
get a note added warning implementors of this?

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B