ietf-nntp Virtual hosts in NNTP servers

Jeffrey M. Vinocur jeff at litech.org
Tue Feb 25 09:34:10 PST 2003 

On Tue, 25 Feb 2003, Joao Prado Maia wrote:

> Most of you guys probably know about the 'Host' header that gets sent from 
> HTTP 1.1 compliant browsers, which allows web servers to serve pages for 
> different domains while binding to the same port in the same IP address.
> 
> Could the same thing be implemented for NNTP ? Can anyone provide feedback 
> about pros and cons about this idea ?

Well.  In HTTP, you need this for two purposes:
- serving different content based on the hostname used
- presenting the appropriate server certificate with HTTPS

Of course, at present the latter purposes is *not* fixed by the Host: 
header in HTTP, which is a shame.


In NNTP, it's definitely relevant to the second case (authentication), not
for separate user databases (simply use usernames of the form
user at domain), but for certificate-based authentication (for example, in
order to verify the server's TLS certificate matches the expected
hostname).  Those issues come up in the STARTTLS draft that I submitted
yesterday (but which probably won't be published until after the IETF
meeting because I flubbed A.M. / P.M.), and as a result we actual describe
a mechanism like the one you describe for STARTTLS.  And I considered
making it a separate extension that could be used without STARTTLS, which
would be relevant to you.

But since the issues above are fixed by draft-ietf-tls-extensions-06.txt,
I'm therefore expecting that we'll be able to remove the NNTP-specific
implementation of virtualhost name passing.  Though, if people see a need
for it, I could have a draft for an extension like you described ready on
extremely short notice.


As for the second case (differing content), it's not so clear how much 
benefit there is in NNTP.  It's hard to imagine a case where a request for 
headers from e.g. news.software.nntp would have a different *meaning* 
depending on what hostname you used for the news server.  The obvious uses 
are to restrict permissions in some fashion (restrict group list, allow 
posting vs read-only, etc).  But it's a bit odd to say that a user 
connecting from the same IP would get more privliges using one hostname 
than another -- it's certainly not a wise form of security.  So it's hard 
to see much benefit here.



-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list