[ietf-nntp] authinfo-02 changes
Russ Allbery
rra at stanford.edu
Tue Jul 6 16:17:34 PDT 2004
Charles Lindsey <chl at clerew.man.ac.uk> writes:
> Ken Murchison <ken at oceana.com> writes:
>> The AUTHINFO PASS command permits the client to use a clear-text
>> password to authenticate. A compliant implementation MUST NOT
>> implement this mechanism without also implementing support for TLS
>> -[NNTP-TLS] or the DIGEST-MD5 SASL [DIGEST-MD5] authentication
>> -mechanism. Use of this mechanism without an active strong encryption
>> +[NNTP-TLS]. Use of this mechanism without an active strong encryption
>> layer is deprecated as it exposes the user's password to all parties
>> on the network between the client and the server. Any implementation
>> of this mechanism SHOULD be configurable to disable it unless a strong
> I am not sure I like this change.
This is not something about which I believe we have a choice, and it's
definitely not something I'm willing to fight with the IESG about. I
expect that quite a few servers will not be compliant with this draft for
a while to come because NNTP is so idiosyncratic about how authentication
works, but this is the way that all authentication RFCs are written and I
really don't think we're justified in deviating from the standard.
Clear-text authentication, however much it's useful for NNTP for right now
and however much it's likely to be common for some time in the future, is
still bad engineering and I think it's reasonable to write the standard
accordingly.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list