ietf-nntp RFC977bis w.r.t. authentication

[Chris Newman]

On Tue, 5 May 1998, Chris Lewis wrote:
> I spoke to Marcus Leech, Security Area Co-Chair of the IESG.
> 
> Marcus choked when I repeated Harald's suggestion.  Nope, that's not
> going to fly.

I kind of suspected something like that would happen.

> Marcus suggested that Myers probably already has SASL in NNTP.  We should ask
> him what that looks like.  I'd like to know what concrete steps we'd
> have to make to turn AUTHINFO GENERIC into SASL and/or something compatible
> with SASL...

The problem with AUTHINFO GENERIC is it's already too generic for SASL and
implicitly has a separate mechanism namespace.  SASL has the client and
server exchanging single octet strings, these would probably best be
base64 encoded in an NNTP profile since NNTP is a text-only protocol.  I
think it's best to leave AUTHINFO GENERIC alone and deprecate it along
with AUTHINFO USER/PASS.  Then define AUTHINFO SASL.

> I need to read up more on SASL.  Does someone remember the RFC off-hand?

RFC 2222.  It might also help to look at some of the existing SASL
profiles including IMAP AUTHENTICATE (RFC 2060), ACAP (RFC 2244) and LDAP
(RFC 2251). 

> If someone can give me a hand with that part, I suppose I could make a stab at
> that part of the RFC.

I volunteered to write the spec since I've already done a SASL profile
and I'm fairly familiar with the security requirements necessary to pass
the IESG.  Unfortunately, my time is a bit limited right now, so I won't
have the text done until mid/late June.  You're welcome to take a crack at
it if you wish.

Given the AD advice, we're back to having to pick a solution to the
mandatory to implement authentication problem documented in: 
  <ftp://ftp.isi.edu/internet-drafts/draft-newman-auth-mandatory-00.txt>
before the spec can be approved.

		- Chris