[ietf-nntp] draft-ietf-nntpext-tls-nntp-01.txt
Ken Murchison
ken at oceana.com
Fri Mar 5 10:11:03 PST 2004
Russ Allbery wrote:
> Charles Lindsey <chl at clerew.man.ac.uk> writes:
>
>
>>But switching to TLS just for the password exchange (whatever), and then
>>likely remaining in TLS for the rest of the session, seems a vast
>>overkill (except in private networks that might actually need TLS
>>throughout).
>
>
> We already had this discussion. The solution is to use the built-in
> capabilities of TLS to negotiate down to no encryption after
> authentication if that's what one wants.
Or design a new SASL mechanism which doesn't expose the plaintext
password during the exchange, but allows the plaintext password to be
recovered by the server. Chris Newman's old PASSDSS draft was one such
mechanism as is Tony Hansen's proposed PKI mechanism, but neither of
these has any deployment.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list