ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Ken Murchison ken at oceana.com
Tue Dec 17 10:26:58 PST 2002 

Charles Lindsey wrote:
> 
> In <3DFA2C52.613AF63B at oceana.com> Ken Murchison <ken at oceana.com> writes:
> 
> >TLSv1 actually.  It is the standardized version of SSL, which is
> >currently used to encrypt NNTP traffic on port 963.  Most protocols are
> >now defining a command, usually STARTTLS, to initiate a SSL/TLS exchange
> >within the protocol itself.  It was my understanding that Jeff or
> >someone else was going to draft a STARTTLS command for NNTP.  This
> >command would then be mandatory to implement in order to use plaintext
> >authentication.  Here are some relevent references:
> 
> But presumably that means encrypting the whole subsequent NNTP download
> session. That seems a gross over-complication for downloading usenet news
> which is all in the public domain anyway (it might be desirable for some
> private and specialized uses of NNTP). All we are trying to do is to
> enable the server to verify that the person trying to connect is one of
> its known paying customers.

The same could be said about IMAP providers, but some of them provide
STARTTLS.  Of course, I'm sure they would prefer not to.


> So I still think we need a much lighter-weight system that just encrypts
> the AUTHINFO stage.


I agree that a SASL mech which encrypts only the plaintext password is
desirable.  The biggest problem that I can see with this is getting
client vendors to implement it.  I would assume that it would be much
easier for them to implement USER/PASS and/or PLAIN along with SSL/TLS
based on the simplicity of the authentication and the availability
SSL/TLS code.  I'm not up to speed on all of the various NNTP clients,
but I would assume that a few already have support for USER/PASS over
SSL (port 563).

As Jeff said, none of this should impede the progress of AUTHINFO SASL
and STARTTLS moving forward.

Ken
-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list