ietf-nntp TLS and AUTHINFO interaction
Harmeet Bedi
harmeet at kodemuse.com
Mon Mar 17 20:05:36 PST 2003
----- Original Message -----
From: "Jeffrey M. Vinocur" <jeff at litech.org>
> Question as I consider how to phrase the revision suggested above. The
> existing text in question reads
>
> The server MUST discard any knowledge obtained from the client, such
> as the result of a previous authentication, which was not obtained
> from the TLS negotiation itself.
>
Here is a scenerio.
- NNTPReader authenticates securely over plain socket and then upgrades to
TLS for a secure channel.
- TLS does not do mutual authentication and server already knows Reader
identity.
>From the paragraph above the Reader be forced to reauthenticate. One
downside may be additional expense for reauthentication over a more
expensive secure connection. Is this an unnecessary limitation.
Re-Authentication may be expensive and need not add to security.
Harmeet
More information about the ietf-nntp
mailing list