ietf-nntp draft-ietf-nntpext-tls-nntp-00

Ken Murchison ken at oceana.com
Mon Mar 3 11:08:22 PST 2003 

"Jeffrey M. Vinocur" wrote:
> 
> On Mon, 3 Mar 2003, Ken Murchison wrote:
> 
> By the way, it's generally easier for everyone to keep track of what's
> going on if you separate issues into multiple message.

Since these are all related to one command, it never even occurred to me
to separate them.

> > - section 4.1:
> 
> I'm going to yield to Russ on the response codes.  I think he'd approved
> the usage in the draft, but I'd have to dig up the exact justification.
> 
> You're right that the inadequate-security response code (here 483) isn't
> formalized, anywhere.  That slipped through when I pulled out the SASL
> stuff.  But it's an interesting issue:
> 
> Is it acceptable to formalize 483 here, even though -- once the SASL stuff
> is in place -- both STARTTLS and AUTHINFO SASL will be acceptable actions
> for the client to take after receiving 483?

Hmm, good point.  I would argue that this is an AUTHINFO specific
response code and belongs in the AUTHINFO draft.

I do think we should have a "TLS failed" response code.


> > - section 4.3:  Why reissue the welcome banner?  What is its purpose?
> > None of the other messaging protocols do this.
> 
> Hmm.  It's existing practice with the TLS-on-port-563 implementation,
> since otherwise there's no welcome banner at all (because the TLS

Keep in mind that the banner that you see when doing NNTPS (port 563) is
the _actual_ greeting banner.  The SSL/TLS negotiation happens outside
of the actual NNTP protocol (its an NNTP session nested inside of
SSL/TLS), where STARTTLS happens within NNTP.  Even though the SSL/TLS
code is essentially the same, NNTPS and NNTP/STARTTLS are apples and
oranges.

> negotiation begins immediately).  I haven't actually checked what INN does
> if you use STARTTLS...I believe it does not reissue the banner.

You're right, it doesn't AFAICT.  It follows RFC 2595 and RFC 3207.

> The point I was trying to make in the "Note" at the top of section 5 was
> that I expect (and hope) to remove this extension, and that nobody should
> implement it except out of boredom.  I just found out about the TLS
> extension recently (recall that STARTTLS has been in pre-draft stage for
> an absurdly long time), after MULTIDOMAIN was specified.  So I debated
> removing it before sending the draft, but ended up compromising on leaving
> it with that note.

I understand the point of the note, I guess I'm lobbying to have this
functionality taken care of by TLS.

> Also, I have no sense of the timeframe of expected finalization of the TLS
> extensions, and didn't want to commit to relying on them without further
> information in that regard.  If you can supply details here, that would be
> great.

http://www1.ietf.org/mail-archive/ietf-announce/Current/msg22586.html

Its in the RFC Editor queue: http://www.rfc-editor.org/queue.html

What I don't know is if these extensions are implemented anywhere yet,
specifically OpenSSL.  I quick examination of the source, or a query on
the mailing list would probably tell us.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list