ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Ken Murchison ken at oceana.com
Thu Dec 12 13:21:33 PST 2002 

Charles Lindsey wrote:
> 
> In <3DF779C6.B10F31B5 at oceana.com> Ken Murchison <ken at oceana.com> writes:
> 
> >Just to clarify, this isn't a problem with SASL.  The problem is with
> >Andrew's requirements and the lack of a documented/implemented SASL
> >mechanism which satifies those requirements.  SASL itself is not the
> >cause of the problem any more than AUTHINFO USER/PASS is.
> 
> Then I think someone needs to be devising a SASL mechanism other than PLAIN.

Well, since all of the other SASL-enabled protocols seem comfortable
with PLAIN/STARTTLS, I'm guessing that the effort to developed this new
SASL mechanism will have to be initiated by this WG/list.

Is PLAIN/STARTTLS completely out of the question for NNTP even in the
presence of SSL/TLS accelerator cards and TLS session reuse?

Just out of curiosity, how is this issue being resolved today?  With
AUTHINFO GENERIC?


> >No.  The only one close is the one that Jeff noted:
> >http://www.alternic.org/drafts/drafts-n-o/draft-newman-sasl-passdss-01.txt
> 
> >If Jeff is still working with Chris on the NNTP security draft, maybe he
> >can ask him why this mechanism never moved forward.  My guess is because
> >of the presence of PLAIN and STARTTLS.
> 
> AFAIR, at the time we removed AUTHINFO from our draft (that was years
> ago), it was because we were told that the IETF would no longer
> countenance any new standards that allowed (let alone required) the
> sending of passwords in plain text. I has always assumed that this was the
> issue on which Chris was supposed to be working.

It is my understanding that plaintext mechs are allowed as long as they
can be protected by some external layer (eg, TLS).  The updated IMAP
draft has language to this effect and has passed an initial IESG
review.  That being said, other members of ietf-imapext and ietf-sasl
are more qualfied to address this issue.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list