ietf-nntp RFC977bis w.r.t. authentication

Charles Lindsey chl at clw.cs.man.ac.uk
Wed May 6 04:43:29 PDT 1998 

In <2FBF98FC7852CF11912A000000000001095E1671 at DINO> "Larry Osterman (Exchange)" <larryo at Exchange.Microsoft.com> writes:

>And while we're talking about AUTHINFO GENERIC, the last paragraph in 9.1.2
>gives me heartburn - The server provides the client with the USERS email
>address by an undefined mechanism????????  And then if the From: field of
>posts doesn't match this email address, it puts a Sender: field in the post?
>Personally I'd never use such a server, while guaranteeing the identity of
>posters is interesting, there are HUGE privacy issues with a server that
>broadcasts a VALIDATED email address of a user over the internet.  I
>recognise that masking email addresses is a poor way of avoiding SPAM,
>but.......

The present thinking on the 1036bis group is that the "injecting-agent"
for an article MUST be identifiable from the article. Generally speaking,
an NNTP server, when handling submissions via the POST command, will be the
injecting agent for this purpose. The injecting agent is the one who must
take responsibility when things go wrong. I.e. he must have a working
abuse@ (or at least usenet@) address, and should be in a position to nuke
his clients if they misbehave.

There is a presumption that the injecting agent can tell, from the login
that initiated the POST, or from the IP address it came from, or by
whatever authentication mechanism (passowrd/SASL/whatever) were used,
exactly where the article came from. If the injecting agent chooses to let
his clients be anonymous, or munge their addresses, then it is his
problem. Preferably, he should be able to vouch for the authenticity of
their From address (we will likely be providing an Originator-Info header
for this purpose).

Currently, the injecting agent can be recognised from the Path header,
whose syntax we have tightened up for the purpose. It could also be done
via the Sender header, as in the present NNTP draft.

A further feature of our new Path header is that he who adds an entry to
the front of it is expected to vouch for the correctness of the previous
front entry (because he knew the IP address where it came from, or he
believes the NNTP authentication that came with it, or whatever). Thus even
those using the IHAVE command will be expected to authenticate themselves
somehow.

As to whether the Sender header is an official part of News, shall we say
that it is "under discussion". Personally, I believe it has to be, simply
because we are following the format of Mail. And it is even useful on
occasions.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email:     chl at clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7  65 E8 64 7E 14 A4 AB A5

More information about the ietf-nntp mailing list