ietf-nntp Re: WG Review: Simple Authentication and Security Layer
(sasl)
ned+ietf-nntp at innosoft.com
ned+ietf-nntp at innosoft.com
Tue Dec 24 07:30:09 PST 2002
> In <3E033112.5974D774 at oceana.com> Ken Murchison <ken at oceana.com> writes:
> >Maybe its just me, but you seem to be projecting your particular
> >implementation and its pros/cons on the entire community. I'm sure that
> >there are plenty of ISPs that can successfully provide secure
> >authentication without the *NEED* for a DSS-type mechanism. As I've
> >stated before, I can definitely see a fit for such a mechanism, but you
> >make it sound like nothing can be done without it.
> Yes indeed so. Currently, they ALL authenticate their customers regularly
> using AUTHINFO with plaintext passwords. It works fine.
> The trouble is that the protocol is not written down anywhere, and we are
> not permitted to write it down because the IETF won't let us :-( .
Nonsense. What the IETF won't let you do is standardize something that involves
passwords in the clear. An informational document describing existing practice
would likely be OK, assuming first that an acceptable standards track
alternative has been defined and second that it is OK that an IESG note
describing the risks and noting the existance of a reasonable standards track
alternative will be included.
Ned
More information about the ietf-nntp
mailing list