[ietf-nntp] draft-ietf-nntpext-tls-nntp-01.txt
Charles Lindsey
chl at clerew.man.ac.uk
Tue Mar 9 09:12:28 PST 2004
In <404C7653.4060002 at oceana.com> Ken Murchison <ken at oceana.com> writes:
>Charles Lindsey wrote:
>>
>> Well such schemes seem to be widespread in SMTP servers AIUI.
>Which schemes? Shared secret schemes such as CRAM-MD5, or schemes like
>I mention above? I believe the former, but not the latter.
I am not sufficiently familiar with all the schemes available to be sure,
but CRAM-MD5 was the one I had in mind. It seems to be widely deployed in
all sorts of client-server protocols. Why not in NNTP?
>As I said before, the problem isn't that there aren't any secure
>authentication mechanisms available, the problem is that that the
>existing secure mechanisms aren't deployable in some installations
>(those that pass the password to a third party application for
>verification). The only currently deployed auth mechs which are useful
>for these installations are the plaintext ones, which must be protected
>by security layer such as TLS (per the IETF).
Yes, I remember this all started when Andrew Gierth, with his server hat
on, wanted the actual password so that he could submit it to some other
(radius?) server.
But that is not the usual case with your average NNTP connection to some
server. Hence the need for some additional but simpler scheme such as
CRAM-MD5.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp
mailing list