ietf-nntp Re: WG Review: Simple Authentication and Security Layer
(sasl)
Ken Murchison
ken at oceana.com
Fri Dec 13 10:52:02 PST 2002
Charles Lindsey wrote:
>
> In <3DF8FDDD.C4D7E35 at oceana.com> Ken Murchison <ken at oceana.com> writes:
>
> >Charles Lindsey wrote:
> >>
> >> AFAIR, at the time we removed AUTHINFO from our draft (that was years
> >> ago), it was because we were told that the IETF would no longer
> >> countenance any new standards that allowed (let alone required) the
> >> sending of passwords in plain text. I has always assumed that this was the
> >> issue on which Chris was supposed to be working.
>
> >It is my understanding that plaintext mechs are allowed as long as they
> >can be protected by some external layer (eg, TLS). The updated IMAP
> >draft has language to this effect and has passed an initial IESG
> >review. That being said, other members of ietf-imapext and ietf-sasl
> >are more qualfied to address this issue.
>
> Please explain to me what TLS is. Whatever, I don't think it is
> customarily used with NNTP.
TLSv1 actually. It is the standardized version of SSL, which is
currently used to encrypt NNTP traffic on port 963. Most protocols are
now defining a command, usually STARTTLS, to initiate a SSL/TLS exchange
within the protocol itself. It was my understanding that Jeff or
someone else was going to draft a STARTTLS command for NNTP. This
command would then be mandatory to implement in order to use plaintext
authentication. Here are some relevent references:
http://www.ietf.org/rfc/rfc2246.txt
http://www.ietf.org/internet-drafts/draft-crispin-imapv-20.txt
http://www.ietf.org/rfc/rfc2595.txt
http://www.ietf.org/rfc/rfc3207.txt
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list