ietf-nntp Merge Newman's Authinfo draft into Main Draft?

Tue May 26 16:02:37 PDT 1998

> > Just because noone commented on the draft does not mean that there was
> > consensus on merging the draft back into the main draft. At best, it means
> > that the contents of the draft are not objectionable to any one on the
> > mailing list.

> I believe the NNTPEXT charter forbids adding the AUTHINFO command to the
> base spec in a way which meets IESG guidelines.

(With co-chair hat on) I agree. We cannot add brand new features like this in
the base specification given the charter as it stands.

> NNTPEXT is forbidden from adding new features to the protocol -- this
> includes authentication technology which isn't already deployed.  On the
> flip side, the IESG requires that if any authentication mechanism is
> included in the base spec, then there must be a mandatory-to-implement
> mechanism which does not use plaintext passwords.  These two requirements
> end up being contradictory in this case.

> NNTPEXT has two choices:

> (A) Include no AUTHINFO command in base spec and document that current
> practice is to permit public access to NNTP servers with restrictions
> based on source IP address (often enforced by a border packet filter).

Speaking simply as a participant, I believe this is the right thing to do.

> (B) Update the NNTPEXT charter to permit us to add new authentication
> technology as necessary to meet IESG requirements for authentication
> commands.  Then solve the problem documented in
> draft-newman-auth-mandatory-00.txt.

I really don't want to add NNTP to the list of protocols stuck on this issue,
and that is the best thing we can hope for even if we manage to get past the
charter issue.

However, I do want to pursue SASL mechanisms as an NNTP extension. I think
it would be a mistake not to. But we have to finish the base specification
first.

> Unless we get a definitive IESG statement that NNTPEXT is not permitted to
> do (A) and has to make incompatible changes to the NNTP protocol which
> will make all current servers incompliant, I'd prefer to go with (A).  I
> happen to think the NNTPEXT charter was well written and there isn't
> justification to change it unless (A) is known to be a show-stopper.  I
> know some form of question was posed to Marcus Leech, but we don't
> know how that question was worded and only have a second-hand report of
> the results.

Good point.

> > The next step should be to have the draft published in the
> > Internet Drafts respository so that folks not participating in the list might
> > have a chance to comment.

> I just sent in the draft (with a list of open issues added).  It should
> appear in a few days.

Thanks!

				Ned