[ietf-nntp] draft-ietf-nntpext-tls-nntp-01.txt
Russ Allbery
rra at stanford.edu
Fri Mar 5 09:39:05 PST 2004
Charles Lindsey <chl at clerew.man.ac.uk> writes:
> But switching to TLS just for the password exchange (whatever), and then
> likely remaining in TLS for the rest of the session, seems a vast
> overkill (except in private networks that might actually need TLS
> throughout).
We already had this discussion. The solution is to use the built-in
capabilities of TLS to negotiate down to no encryption after
authentication if that's what one wants.
> Are there no authentication methods that allow a challenge/response such
> that an eavesdropper who hears the exchange is still unable to reproduce
> it? And are such methods included within the overall SASL scheme?
Of course. There are tons of them. I don't see what that has to do with
anything.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list