[ietf-nntp] authinfo-02 changes

Russ Allbery rra at stanford.edu
Wed Jul 7 12:49:49 PDT 2004


Charles Lindsey <chl at clerew.man.ac.uk> writes:

> 2. The expected normal migration will be from AUTHINFO PASS to AUTHINFO
> SASL (we do not seem to think that migrating to NNTP-TLS will happen
> except in special cases such as Andrew Gierth raised, and even then we
> have suggested inventing a new SASL mechanism to solve his particular
> problem).

I migrated a local server to TLS.  I expect that will be quite common in
certain environments once TLS is standardized and readily available.  It
just won't be common for the large Usenet outsourcers since the overhead
is too high for large reader sites right now.

> So the first question is whether we can add words such as "except as an
> interim measure during the introduction of this standard" at the proper
> place, perhaps coupling it with the mention further down that the
> implementation SHOULD be configurable to disable AUTHINFO PASS.

I don't really want to do this.  I think it would be a fight over security
issues and I don't see a need to pick this fight, and it's not clear to me
that it's even the right way to push.

> And perhaps Alexey should be consulted on whether he thinks such a
> wording might be acceptable (or whether he has other suggestions).

I'm not sure why we would consult Alexey in particular, although certainly
anyone who has an opinion is welcome to comment.  But we already have an
AD advisor who can weigh in on issues like this, and if you'd like, I can
bring this issue to Scott in particular.

Note that the main obstacle to adopting AUTHINFO SASL is going to be a
suitable SASL mechanism that allows one to recover the clear-text of the
password without requiring the whole session be encrypted, something that
this working group isn't really in a position to provide.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list