ietf-nntp RFC977bis w.r.t. authentication
Chris Newman
Chris.Newman at INNOSOFT.COM
Wed May 13 16:55:31 PDT 1998
On Wed, 13 May 1998, Brian Hernacki wrote:
> Chris Newman wrote:
> >
> > On Thu, 7 May 1998, Brian Hernacki wrote:
> > > Just to add my two cents, I think the right thing to do is document the
> > > existing AUTHINFO scheme (which I would say is AUTHINFO USER/PASS) and
> > > do a seperate document to define AUTHINFO GENERIC.
> >
> > The IESG requires that if we include an authentication mechanism of any
> > sort, we include a fully-specified one that does not send an unencrypted
> > plaintext password over the wire. Thus your proposal can't be
> > standardized.
>
> We're not writing a new protocol, but just clarifying an existing one.
> Our charter is pretty specific about this.
You are right that our charter specificly forbids adding any new features
which aren't actually deployed. But that does not change the fact that
the IESG will reject (or put a nasty disclaimer) on any proposal which has
unencrypted passwords as the only authentication mechanism. Look at the
IESG disclaimer on RFC 2251.
So our choices are:
(A) Use the proposal that was made in the LA WG meeting (no AUTHINFO in
base spec, document network level security that's widely used today).
(B) Document just AUTHINFO USER/PASS in the base spec and hope we can get
away with just an IESG disclaimer saying not to use NNTP for posting
until a suitable authentication mechanism is added. I suspect this will
result in the spec being returned to the WG with direction from the IESG
to include a proper authentication mechanism.
(C) Update the charter to permit us to add new features for authentication
necessary to get IESG approval.
- Chris
More information about the ietf-nntp
mailing list