[ietf-nntp] draft-ietf-nntpext-tls-nntp-01.txt
Charles Lindsey
chl at clerew.man.ac.uk
Mon Mar 8 04:03:45 PST 2004
In <4048C2B8.9010409 at oceana.com> Ken Murchison <ken at oceana.com> writes:
>Russ Allbery wrote:
>>
>> We already had this discussion. The solution is to use the built-in
>> capabilities of TLS to negotiate down to no encryption after
>> authentication if that's what one wants.
>Or design a new SASL mechanism which doesn't expose the plaintext
>password during the exchange, but allows the plaintext password to be
>recovered by the server. Chris Newman's old PASSDSS draft was one such
>mechanism as is Tony Hansen's proposed PKI mechanism, but neither of
>these has any deployment.
Well such schemes seem to be widespread in SMTP servers AIUI. Doubtless
TLS is also available in such servers, but I doubt it is used to anything
like the same extent. Hence my surprise that we are not proposing such a
scheme here, and seem to be relying on TLS as the _only_ "respectable"
method of authentication.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp
mailing list