[ietf-nntp] authinfo-02 changes

Ken Murchison ken at oceana.com
Tue Jul 6 18:31:12 PDT 2004 

Charles Lindsey wrote:
> In <40EACA6F.5030703 at oceana.com> Ken Murchison <ken at oceana.com> writes:
> 
> 
>>Attached are the changes I just made to the AUTHINFO draft based on 
>>comments from the list and those I received privately.  I did a diff 
>>against the nroff rather than the generated text, since the nroff isn't 
>>subject to changes in page breaks.  Please review and let me know if 
>>I've missed anything.
> 
> 
>>@@ -338,8 +342,7 @@
>>The AUTHINFO PASS command permits the client to use a clear-text
>>password to authenticate.  A compliant implementation MUST NOT
>>implement this mechanism without also implementing support for TLS
>>-[NNTP-TLS] or the DIGEST-MD5 SASL [DIGEST-MD5] authentication
>>-mechanism.  Use of this mechanism without an active strong encryption
>>+[NNTP-TLS].  Use of this mechanism without an active strong encryption
>>layer is deprecated as it exposes the user's password to all parties
>>on the network between the client and the server.  Any implementation
>>of this mechanism SHOULD be configurable to disable it unless a strong
> 
> 
> I am not sure I like this change.

The reason I removed DIGEST-MD5 from this part of the text was that it 
was (correctly) pointed out to me by Alexey Melnikov that DIGEST-MD5 has 
no relationship with USER/PASS whatsoever.

DIGEST-MD5 is still a mandatory to implement mechanism as stated in the 
SASL section.

If anyone has suggested text better that what was previously there, I'm 
willing to look at it.

> OK, you have removed any detailed requirements on the format of the
> authorization identity, which is fine by me, but now your text launches
> straight into a description of how that identity is to be included in an
> audit trail and/or inserted into the headers of the article. But at this
> point in your text there is no indication to the reader of what the
> authorization identity is, or where it came from.
> 
> I think therefore you need some text of the form:
> 
> "Once authenticated, the authorization identity generated by the SASL
> exchange (see section 2.2.2 above) SHOULD be included in an audit-trail
> associating ....."

Right.  I did a last minute cut of the existing text without checking 
the surrounding context.  I'll add text similar to what you suggest.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list