ietf-nntp My notes from the NNTP WG meeting at the 37thIETF
Chris Newman
Chris.Newman at INNOSOFT.COM
Fri Dec 20 13:02:51 PST 1996
On Fri, 20 Dec 1996, Rich Salz wrote:
> By the time the code and "spec" got out there, I had given up almost all
> work on NNTP. I also didn't know enough about SASL, but at the time
> AG :) was only lagging about two months behind SASL. John ran really
> hard with his implementation, etc., so the gap is now probably six
> months in terms of finish AG, quality of implementation, etc. I don't
> know what's the better course of action, primarily because I don't know
> much about SASL. For example, does it include negotiation that is not
> suspect to man-in-the-middle downgrading? (I.e., it's not CAT-IETF SNEGO?)
Yes. SASL has been reviewed by CAT. GSSAPI is one SASL mechanism, but
SASL adds the concept of a "session layer" which is needed for
integrity/encryption protection of a streaming protocol and also allows
simpler non-GSSAPI mechanisms.
Personally, I think AUTHINFO GENERIC should either be dropped from the
core draft, or replaced with SASL in the core draft. The last thing we
need is two plug-in auth/encrypt modules when one is already deployed
(albeit not for NNTP).
More information about the ietf-nntp
mailing list