ietf-nntp RFC977bis w.r.t. authentication
Larry Osterman (Exchange)
larryo at Exchange.Microsoft.com
Tue May 5 13:40:03 PDT 1998
As far as I know, there is NOTHING that needs to be done for "SASL
complience" in the protocol definition except citing RFC2222 in the text.
And I believe that the AUTHINFO GENERIC mechanism as currently specified
satisfies the requirements for SASL, if the paragraph in 9.1.2:
The server will attempt to engage the server end
authenticator; similarly, the client should engage the client
end authenticator. The server end authenticator will then
initiate authentication using the NNTP sockets (if appropriate
for that authentication protocol), using the protocol
specified by the authenticator name. These authentication
protocols are not included in this document, but are similar
in structure to those referenced in RFC 1731 for the IMAP-4
is changed to reference RFC2222 instead of 1731 (which should be 2060 at
this point anyway).
The only addition that I would suggest is the ability of enumerating the
SASL providers. The Microsoft Exchange and MCIS servers (and the Outlook
Express and Outlook clients) do this by returning a list of SASL providers
supported in the response to AUTHINFO GENERIC if there are no parameters
Some text regarding the encoding of the arguments to AUTHINFO GENERIC is
probably appropriate, personally I'd suggest BASE64 encoding (mostly because
NNTP is a 7bit protocol and since the SASL packages toss around arbitrary
binary data, it makes sense, and partly because that's what the MS servers
have done :-)).
And while we're talking about AUTHINFO GENERIC, the last paragraph in 9.1.2
gives me heartburn - The server provides the client with the USERS email
address by an undefined mechanism???????? And then if the From: field of
posts doesn't match this email address, it puts a Sender: field in the post?
Personally I'd never use such a server, while guaranteeing the identity of
posters is interesting, there are HUGE privacy issues with a server that
broadcasts a VALIDATED email address of a user over the internet. I
recognise that masking email addresses is a poor way of avoiding SPAM,
Sent from larryo-laptop.dns.microsoft.com running NT5 and Outlook 98 and
Exchange Server 5.5. Please notify the sender of any difficulties
From: Chris Lewis [mailto:Chris.Lewis.clewis at nt.com]
Sent: Tuesday, May 05, 1998 1:03 PM
To: ietf-nntp at academ.com
Subject: Re: ietf-nntp RFC977bis w.r.t. authentication
Nat Ballou (Exchange) wrote:
> > This is precisely why it was decided to move this out of the main
> > It's going to take time to get these bits right. Other than these bits,
> > there is little else that folks are expressing concerned about in the
> > draft.
> On this issue, I believe the consensus is that it's worth the wait.
> BTW, there are implementations - server and client - doing AUTHINFO
> today. If Chris or you would like more info on how this works, give me
> a shout and I'll gladly help out.
It's not necessary - I was the one who invented AUTHINFO GENERIC (with
a little nudge from Rich $alz), implemented it for INN,
NNTP 1.5.12, trn, tin and even xrn, and provided the docs for Stan ;-)
Is Microsoft's server doing it now?
> I'm all for following SASL to the
> letter on this one - but let's avoid arbitrary differences that break
> existing practice ...
I need to read up more on SASL to find out where the compatibilities are.
If there are any...
More information about the ietf-nntp