ietf-nntp RFC977bis w.r.t. authentication

Chris Lewis Chris.Lewis.clewis at nt.com
Tue May 5 07:26:10 PDT 1998 

Ned Freed wrote:
> 
> > >If IESG will not permit the document to move forward because of the
> > >AUTHINFO issue, is it worth holding up the rest of the work?
> 
> > In that eventuality, can AUTHINFO simply be omitted from the main
> > specification and again documented separately as a common practice?
> > Historically, it's been in the NNTP code from very near its beginning,
> > although we developed it post-RFC977.
> 
> We have to have something -- the IETF no longer tolerates protocols that use
> plaintext passwords. Trying to fight this is, in my estimation at least,
> futile.
> 
> What I believe we decided we'd do in the LA WG meeting was to move AUTHINFO
> elsewhere and document how port restrictions are commonly used to prevent
> malicious use of servers. This captures fairly common existing practice and
> doesn't trod on the "plaintext passwords" toe.
> 
> Mind you, I don't know for sure that this will fly with the IESG, but Harald
> seemed to think it was worth a shot.

I spoke to Marcus Leech, Security Area Co-Chair of the IESG.

Marcus choked when I repeated Harald's suggestion.  Nope, that's not
going to fly.

Marcus suggests the following:

	1) leave AUTHINFO USER/PASS in and firmly deprecate it.  This
	   allows us to grandfather and firmly codify existing
           implementations having it, or sites that wish to use
	   it.  I seem to remember that AUTHINFO SIMPLE isn't actually
	   used by anybody, so perhaps we don't need it at all.
	2) Put a SASL-like authentication in.  He prefers SASL because it's
	   very popular now.  This means, I guess, codifying AUTHINFO
	   GENERIC as a instantiation of SASL, or something like that.

Marcus suggested that Myers probably already has SASL in NNTP.  We should ask
him what that looks like.  I'd like to know what concrete steps we'd
have to make to turn AUTHINFO GENERIC into SASL and/or something compatible
with SASL...

I need to read up more on SASL.  Does someone remember the RFC off-hand?

If someone can give me a hand with that part, I suppose I could make a stab at
that part of the RFC.

More information about the ietf-nntp mailing list