ietf-nntp Multiple Authentications, personal opinon

Juergen Helbing infstar at infostar.de
Tue Jan 7 00:51:22 PST 2003 

I saw the call for comments on this issue.
So here just some personal experience:

I never heared from the users of the MyNews server that they need
multiple authentications. However MyNews permits this - and updates
the permissions to the latest authinfo account. This is not done
intentionally but simply because the authinfo command is not blocked
after a sucessful auth.

What I saw already on Usenet was that a host required authentication
WITHIN a session when a binary group was selected:
This was a public news-server (open without authentication) for
text-groups but the first attempt to access a binary group wanted the
authentication.... 
(This is just mentioned for completeness - not because it is a
problem).


There is one thing I have not understood yet:
It seems that a special kind of secure authentication is discussed
here - and I'm wondering how to write a news-client which does not
know whether the host permits (or requires) secure auth:
In such cases the client must try both types of auth (at least once to
find out which one the host wants). This could be done - of course -
in a second attempt to reconnect - but this is not very funny.

Perhaps I've missed this in the previous discussion, but I would like
that host permit another auth if the first one fails. Especially if
secure and old authentication is available.

 
There are two types of "special" news-servers today:
Public servers (almost read only) and commercial servers.
These servers have limitations for the number of concurrent users -
and sometimes farms permit connect but have strange reply code when an
article should be retrieved as:  "480 already connect to two other
hosts).....

There is nothing special actually - but I dont know how these "special
servers" will develop in the future. I just recognize that these
people have special needs which are not understandable for most of us
(and which are solved actually by issuing funny return codes in
special situations) - and nobody knows what they need in the future.

So I personally would be carefully to _forbid_ something if it not
strictly necessary for secure auth....


Just some thoughts and experience.
Please apologize if these things have been already discussed.
I did not read the list seriously in the last few weeks.

-- 
Juergen
-----------------------
MyNews:  www.winews.net

More information about the ietf-nntp mailing list