ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Rob Siemborski rjs3 at andrew.cmu.edu
Thu Dec 19 20:38:51 PST 2002


On Thu, 19 Dec 2002, Russ Allbery wrote:

> Both TLS and SASL (and indeed any authentication whatsoever) are entirely
> optional in NNTP, so I'm not sure what the scope of your "MUST" is here.

Presumably for authentication, since the IESG isn't approving protocols
that use cleartext passwords as their authentication mechanism anymore.

If there's anonymous authentication (as is the case with a server that
doesn't support AUTHINFO anything), then there's no MUST.

Presumably this gets worded something like "Servers MAY implement
authentication, if they do, they MUST implement atleast TLS and the SASL
PLAIN mechanism".

> I don't think that news servers should be required to implement TLS, even
> if they support authentication.  TLS is a lot of additional complexity and
> is quite a lot of overhead for the typical news application.

Then the mandatory to implement mechanism could be something more akin to
CRAM-MD5.  Its just there to ensure baseline interoperability.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski | Andrew Systems Group * Research Systems Programmer
PGP:0x5CE32FCC | Cyert Hall 207 * rjs3 at andrew.cmu.edu * 412.268.7456
-----BEGIN GEEK CODE BLOCK----
Version: 3.12
GCS/IT/CM/PA d- s+: a-- C++++$ ULS++++$ P+++$ L+++(++++) E W+ N o? K-
w O- M-- V-- PS+ PE++ Y+ PGP+ t+@ 5+++ R@ tv-@ b+ DI+++ G e h r- y?
------END GEEK CODE BLOCK-----






More information about the ietf-nntp mailing list