ietf-nntp IETF 41 summary -- Comments Welcome
Chris Lewis
Chris.Lewis.clewis at nt.com
Tue May 5 07:04:12 PDT 1998
Ned Freed wrote:
>
> > >If IESG will not permit the document to move forward because of the
> > >AUTHINFO issue, is it worth holding up the rest of the work?
>
> > In that eventuality, can AUTHINFO simply be omitted from the main
> > specification and again documented separately as a common practice?
> > Historically, it's been in the NNTP code from very near its beginning,
> > although we developed it post-RFC977.
>
> We have to have something -- the IETF no longer tolerates protocols that use
> plaintext passwords. Trying to fight this is, in my estimation at least,
> futile.
>
> What I believe we decided we'd do in the LA WG meeting was to move AUTHINFO
> elsewhere and document how port restrictions are commonly used to prevent
> malicious use of servers. This captures fairly common existing practice and
> doesn't trod on the "plaintext passwords" toe.
>
> Mind you, I don't know for sure that this will fly with the IESG, but Harald
> seemed to think it was worth a shot.
AUTHINFO GENERIC doesn't presuppose plaintext passwords at all.
Exactly _which_ AUTHINFO are we talking about here? AUTHINFO USER/PASS,
AUTHINFO SIMPLE or AUTHINFO GENERIC?
I think I'll consult with my local IESG member - which is most appropriate for
this issue given he's co-chair of Security ;-)
More information about the ietf-nntp
mailing list