ietf-nntp RFC977bis w.r.t. authentication

Larry Osterman (Exchange) larryo at Exchange.Microsoft.com
Tue May 5 13:40:03 PDT 1998


As far as I know, there is NOTHING that needs to be done for "SASL
complience" in the protocol definition except citing RFC2222 in the text.

And I believe that the AUTHINFO GENERIC mechanism as currently specified
satisfies the requirements for SASL, if the paragraph in 9.1.2:
		The server will attempt to engage the server end
            authenticator; similarly, the client should engage the client
            end authenticator.  The server end authenticator will then
            initiate authentication using the NNTP sockets (if appropriate
            for that authentication protocol), using the protocol
            specified by the authenticator name.  These authentication
            protocols are not included in this document, but are similar
            in structure to those referenced in RFC 1731[7] for the IMAP-4
            protocol
is changed to reference RFC2222 instead of 1731 (which should be 2060 at
this point anyway).

The only addition that I would suggest is the ability of enumerating the
SASL providers.  The Microsoft Exchange and MCIS servers (and the Outlook
Express and Outlook clients) do this by returning a list of SASL providers
supported in the response to AUTHINFO GENERIC if there are no parameters
specified.

Some text regarding the encoding of the arguments to AUTHINFO GENERIC is
probably appropriate, personally I'd suggest BASE64 encoding (mostly because
NNTP is a 7bit protocol and since the SASL packages toss around arbitrary
binary data, it makes sense, and partly because that's what the MS servers
have done :-)).

And while we're talking about AUTHINFO GENERIC, the last paragraph in 9.1.2
gives me heartburn - The server provides the client with the USERS email
address by an undefined mechanism????????  And then if the From: field of
posts doesn't match this email address, it puts a Sender: field in the post?
Personally I'd never use such a server, while guaranteeing the identity of
posters is interesting, there are HUGE privacy issues with a server that
broadcasts a VALIDATED email address of a user over the internet.  I
recognise that masking email addresses is a poor way of avoiding SPAM,
but.......




Larry Osterman
Sent from larryo-laptop.dns.microsoft.com running NT5 and Outlook 98 and
Exchange Server 5.5.  Please notify the sender of any difficulties


-----Original Message-----
From: Chris Lewis [mailto:Chris.Lewis.clewis at nt.com]
Sent: Tuesday, May 05, 1998 1:03 PM
To: ietf-nntp at academ.com
Subject: Re: ietf-nntp RFC977bis w.r.t. authentication


Nat Ballou (Exchange) wrote:
> 
> > This is precisely why it was decided to move this out of the main
> document.
> > It's going to take time to get these bits right. Other than these bits,
> > there is little else that folks are expressing concerned about in the
> current
> > draft.
> 
> On this issue, I believe the consensus is that it's worth the wait.
> BTW, there are implementations - server and client - doing AUTHINFO
GENERIC
> today.  If Chris or you would like more info on how this works, give me
> a shout and I'll gladly help out.

It's not necessary - I was the one who invented AUTHINFO GENERIC (with
a little nudge from Rich $alz), implemented it for INN,
NNTP 1.5.12, trn, tin and even xrn, and provided the docs for Stan ;-)

Is Microsoft's server doing it now?

> I'm all for following SASL to the
> letter on this one - but let's avoid arbitrary differences that break
> existing practice ...

I need to read up more on SASL to find out where the compatibilities are.
If there are any...



More information about the ietf-nntp mailing list