[ietf-nntp] draft-ietf-nntpext-tls-nntp-01.txt
Charles Lindsey
chl at clerew.man.ac.uk
Fri Mar 5 09:12:43 PST 2004
In <4047440D.1000208 at oceana.com> Ken Murchison <ken at oceana.com> writes:
>I believe its done this way in other protocols because SSL/TLS is mostly
>used to protect the authentication credentials, not the actual message
>data. I don't think there isn't any technical reason why STARTTLS
>couldn't be done after authentication, but since most (if not all)
>applications are accustomed to having any SASL security layer nested
>*inside* of a SSL/TLS layer, allowing STARTTLS after authentication
>would break this paradigm. This is also the same reason why most
>protocols don't allow reauthentication via SASL (handling of multiple
>security layers).
But switching to TLS just for the password exchange (whatever), and then
likely remaining in TLS for the rest of the session, seems a vast overkill
(except in private networks that might actually need TLS throughout).
Are there no authentication methods that allow a challenge/response such
that an eavesdropper who hears the exchange is still unable to reproduce
it? And are such methods included within the overall SASL scheme?
For example, I surrently authenticate to my mail server using CRAM-MD5 and
it does not, so far as I am aware, involve any switch into TLS. Or does
it?
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp
mailing list