ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)
chl at clw.cs.man.ac.uk
Tue Dec 17 03:34:38 PST 2002
In <3DFA2C52.613AF63B at oceana.com> Ken Murchison <ken at oceana.com> writes:
>TLSv1 actually. It is the standardized version of SSL, which is
>currently used to encrypt NNTP traffic on port 963. Most protocols are
>now defining a command, usually STARTTLS, to initiate a SSL/TLS exchange
>within the protocol itself. It was my understanding that Jeff or
>someone else was going to draft a STARTTLS command for NNTP. This
>command would then be mandatory to implement in order to use plaintext
>authentication. Here are some relevent references:
But presumably that means encrypting the whole subsequent NNTP download
session. That seems a gross over-complication for downloading usenet news
which is all in the public domain anyway (it might be desirable for some
private and specialized uses of NNTP). All we are trying to do is to
enable the server to verify that the person trying to connect is one of
its known paying customers.
So I still think we need a much lighter-weight system that just encrypts
the AUTHINFO stage.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp