ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Russ Allbery rra at stanford.edu
Thu Dec 19 20:58:33 PST 2002


Rob Siemborski <rjs3 at andrew.cmu.edu> writes:

> If there's anonymous authentication (as is the case with a server that
> doesn't support AUTHINFO anything), then there's no MUST.

Both anonymous and IP-based authentication are very common for Usenet and
both reasonable given what's served through the protocol for the most part
(namely completely public information -- the only purpose that even the IP
restrictions serve is to prevent abuse and spam).

> Presumably this gets worded something like "Servers MAY implement
> authentication, if they do, they MUST implement atleast TLS and the SASL
> PLAIN mechanism".

>> I don't think that news servers should be required to implement TLS,
>> even if they support authentication.  TLS is a lot of additional
>> complexity and is quite a lot of overhead for the typical news
>> application.

> Then the mandatory to implement mechanism could be something more akin
> to CRAM-MD5.  Its just there to ensure baseline interoperability.

Yeah, I'd be more inclined to go that route than to require TLS.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list