ietf-nntp RFC977bis w.r.t. authentication

Stan Barber sob at academ.com
Tue May 5 08:16:54 PDT 1998


> I spoke to Marcus Leech, Security Area Co-Chair of the IESG.
> 
> Marcus choked when I repeated Harald's suggestion.  Nope, that's not
> going to fly.
> 
> Marcus suggests the following:
> 
> 	1) leave AUTHINFO USER/PASS in and firmly deprecate it.  This
> 	   allows us to grandfather and firmly codify existing
>            implementations having it, or sites that wish to use
> 	   it.  I seem to remember that AUTHINFO SIMPLE isn't actually
> 	   used by anybody, so perhaps we don't need it at all.
> 	2) Put a SASL-like authentication in.  He prefers SASL because it's
> 	   very popular now.  This means, I guess, codifying AUTHINFO
> 	   GENERIC as a instantiation of SASL, or something like that.
> 
> Marcus suggested that Myers probably already has SASL in NNTP.  We should ask
> him what that looks like.  I'd like to know what concrete steps we'd
> have to make to turn AUTHINFO GENERIC into SASL and/or something compatible
> with SASL...
> 
> I need to read up more on SASL.  Does someone remember the RFC off-hand?
> 
> If someone can give me a hand with that part, I suppose I could make a stab at
> that part of the RFC.

This is precisely why it was decided to move this out of the main document.
It's going to take time to get these bits right. Other than these bits,
there is little else that folks are expressing concerned about in the current
draft.


-- 
Stan   | Academ Consulting Services        |internet: sob at academ.com
Olan   | For more info on academ, see this |uucp: mcsun!academ!sob
Barber | URL- http://www.academ.com/academ |Opinions expressed are only mine.



More information about the ietf-nntp mailing list