[ietf-nntp] I-D ACTION:draft-ietf-nntpext-authinfo-00.txt

Andrew - Supernews andrew at supernews.net
Sat May 15 20:46:17 PDT 2004


>>>>> "Charles" == Charles Lindsey <chl at clerew.man.ac.uk> writes:

 Charles> c) Therefore, it MUST provide at least the DIGEST-MD5 SASL
 Charles> method so that its clients have _something_ to migrate to.

What part of "this isn't going to happen" isn't getting through here?

Migrating to a SASL method that allows recovering the plaintext
password is feasible. Migrating to digest-based methods is not, for
any site that's doing third-party authentication. Supporting TLS in
the server in order to negotiate encryption only for long enough to
send authinfo user/pass is flatly ridiculous (just look at how many
RTTs it adds to connection setup time and how often some clients
connect).

I'd _like_ to get away from plaintext passwords; but an unrealistic
approach to this draft is just going to mean that AUTHINFO USER
remains the de-facto standard forever.

-- 
Andrew, Supernews
http://www.supernews.com




More information about the ietf-nntp mailing list