ietf-nntp Re: WG Review: Simple Authentication and Security
Layer (sasl)
Russ Allbery
rra at stanford.edu
Thu Dec 19 20:58:33 PST 2002
Rob Siemborski <rjs3 at andrew.cmu.edu> writes:
> If there's anonymous authentication (as is the case with a server that
> doesn't support AUTHINFO anything), then there's no MUST.
Both anonymous and IP-based authentication are very common for Usenet and
both reasonable given what's served through the protocol for the most part
(namely completely public information -- the only purpose that even the IP
restrictions serve is to prevent abuse and spam).
> Presumably this gets worded something like "Servers MAY implement
> authentication, if they do, they MUST implement atleast TLS and the SASL
> PLAIN mechanism".
>> I don't think that news servers should be required to implement TLS,
>> even if they support authentication. TLS is a lot of additional
>> complexity and is quite a lot of overhead for the typical news
>> application.
> Then the mandatory to implement mechanism could be something more akin
> to CRAM-MD5. Its just there to ensure baseline interoperability.
Yeah, I'd be more inclined to go that route than to require TLS.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list