ietf-nntp Section 11.5 - NEWNEWS
Andrew Gierth
andrew at erlenstar.demon.co.uk
Mon Jul 24 18:18:12 PDT 2000
>>>>> "David" == David Riley <David.Riley at software.com> writes:
David> Also, what happened with CHECK/TAKETHIS?
It's an extension and therefore not included.
David> I remember reading AUTHINFO wasn't included since the IETF
David> does not approve of any protocols with cleartext passwords?
David> Is this the case? Again, AUTHINFO USER and AUTHINFO PASS are
David> the norm and I think they should be documented in the draft.
AUTHINFO is also an extension, and there has been a separate draft
(now expired, I think) that defined it.
There are some unresolved issues about authentication, however:
1) the need to standardise 480 responses, which conflicts with the
previous standard's definition of all x8x responses as being
reserved for local extensions. (The auth draft tried to avoid
this by using 450 rather than 480, but that breaks compatibility
completely.)
2) the auth draft specified that SASL and the DIGEST-MD5 scheme were
MUST requirements of any implementation using auth. While the
desire to avoid plaintext passwords is all well and good, I for
one cannot implement any scheme in which the user-entered
password is not recoverable in plaintext at the server end (I
have seen no SASL scheme that allows this, though it is
theoretically possible using public-key encryption).
--
Andrew.
More information about the ietf-nntp
mailing list