[ietf-nntp] I-D ACTION:draft-ietf-nntpext-authinfo-00.txt
Andrew - Supernews
andrew at supernews.net
Sat May 15 20:46:17 PDT 2004
>>>>> "Charles" == Charles Lindsey <chl at clerew.man.ac.uk> writes:
Charles> c) Therefore, it MUST provide at least the DIGEST-MD5 SASL
Charles> method so that its clients have _something_ to migrate to.
What part of "this isn't going to happen" isn't getting through here?
Migrating to a SASL method that allows recovering the plaintext
password is feasible. Migrating to digest-based methods is not, for
any site that's doing third-party authentication. Supporting TLS in
the server in order to negotiate encryption only for long enough to
send authinfo user/pass is flatly ridiculous (just look at how many
RTTs it adds to connection setup time and how often some clients
connect).
I'd _like_ to get away from plaintext passwords; but an unrealistic
approach to this draft is just going to mean that AUTHINFO USER
remains the de-facto standard forever.
--
Andrew, Supernews
http://www.supernews.com
More information about the ietf-nntp
mailing list