ietf-nntp RFC977bis w.r.t. authentication

Chris Lewis Chris.Lewis.clewis at nt.com
Tue May 5 13:44:33 PDT 1998


Stan Barber wrote:
> 
> > I spoke to Marcus Leech, Security Area Co-Chair of the IESG.
> >
> > Marcus choked when I repeated Harald's suggestion.  Nope, that's not
> > going to fly.
> >
> > Marcus suggests the following:
> >
> >       1) leave AUTHINFO USER/PASS in and firmly deprecate it.  This
> >          allows us to grandfather and firmly codify existing
> >            implementations having it, or sites that wish to use
> >          it.  I seem to remember that AUTHINFO SIMPLE isn't actually
> >          used by anybody, so perhaps we don't need it at all.
> >       2) Put a SASL-like authentication in.  He prefers SASL because it's
> >          very popular now.  This means, I guess, codifying AUTHINFO
> >          GENERIC as a instantiation of SASL, or something like that.
> >
> > Marcus suggested that Myers probably already has SASL in NNTP.  We should ask
> > him what that looks like.  I'd like to know what concrete steps we'd
> > have to make to turn AUTHINFO GENERIC into SASL and/or something compatible
> > with SASL...
> >
> > I need to read up more on SASL.  Does someone remember the RFC off-hand?
> >
> > If someone can give me a hand with that part, I suppose I could make a stab at
> > that part of the RFC.
> 
> This is precisely why it was decided to move this out of the main document.
> It's going to take time to get these bits right. Other than these bits,
> there is little else that folks are expressing concerned about in the current
> draft.

Let me put it this way: I got the firm impression, from someone who could veto
it in the IESG, that it won't pass without AUTHINFO SASL or GENERIC.
That pushing authentication into another document won't work, and that making
noises about nnrp.access/nntp_access in the document ain't enough.

It may be nothing much more than making SASL an alias for GENERIC.

If I could get someone familiar with SASL to talk to me, I don't think
the "time" will be very long.



More information about the ietf-nntp mailing list