[ietf-nntp] authinfo-02 changes

Charles Lindsey chl at clerew.man.ac.uk
Wed Jul 7 04:06:46 PDT 2004 

In <40EB5260.3070302 at oceana.com> Ken Murchison <ken at oceana.com> writes:

>Charles Lindsey wrote:
>> 
>>>@@ -338,8 +342,7 @@
>>>The AUTHINFO PASS command permits the client to use a clear-text
>>>password to authenticate.  A compliant implementation MUST NOT
>>>implement this mechanism without also implementing support for TLS
>>>-[NNTP-TLS] or the DIGEST-MD5 SASL [DIGEST-MD5] authentication
>>>-mechanism.  Use of this mechanism without an active strong encryption
>>>+[NNTP-TLS].  Use of this mechanism without an active strong encryption
>>>layer is deprecated as it exposes the user's password to all parties
>>>on the network between the client and the server.  Any implementation
>>>of this mechanism SHOULD be configurable to disable it unless a strong
>> 
>> 
>> I am not sure I like this change.

>The reason I removed DIGEST-MD5 from this part of the text was that it 
>was (correctly) pointed out to me by Alexey Melnikov that DIGEST-MD5 has 
>no relationship with USER/PASS whatsoever.

>DIGEST-MD5 is still a mandatory to implement mechanism as stated in the 
>SASL section.

>If anyone has suggested text better that what was previously there, I'm 
>willing to look at it.

I think the background to what we want is that:

1. Continued use of AUTHINFO PASS is largely an interim measure during
adoption of this standard.

2. The expected normal migration will be from AUTHINFO PASS to AUTHINFO
SASL (we do not seem to think that migrating to NNTP-TLS will happen
except in special cases such as Andrew Gierth raised, and even then we
have suggested inventing a new SASL mechanism to solve his particular
problem).

So the first question is whether we can add words such as "except as an
interim measure during the introduction of this standard" at the proper
place, perhaps coupling it with the mention further down that the
implementation SHOULD be configurable to disable AUTHINFO PASS.

Perhaps such a wording could be strengthened by mentioning "such as
migration to AUTHINFO SASL or NNTP-TLS".

And perhaps Alexey should be consulted on whether he thinks such a wording
might be acceptable (or whether he has other suggestions).

Of course, we all know that this interim period is going to last a long
time on big server sites, simply because so many clients will need to be
upgraded first.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ietf-nntp mailing list