ietf-nntp IETF 41 summary -- Comments Welcome

[Ned Freed]

> >If IESG will not permit the document to move forward because of the
> >AUTHINFO issue, is it worth holding up the rest of the work?

> In that eventuality, can AUTHINFO simply be omitted from the main
> specification and again documented separately as a common practice?
> Historically, it's been in the NNTP code from very near its beginning,
> although we developed it post-RFC977.

We have to have something -- the IETF no longer tolerates protocols that use
plaintext passwords. Trying to fight this is, in my estimation at least,
futile.

What I believe we decided we'd do in the LA WG meeting was to move AUTHINFO
elsewhere and document how port restrictions are commonly used to prevent
malicious use of servers. This captures fairly common existing practice and
doesn't trod on the "plaintext passwords" toe.

Mind you, I don't know for sure that this will fly with the IESG, but Harald
seemed to think it was worth a shot.

				Ned