[NNTP] Re: MODE READER

Russ Allbery rra at stanford.edu
Thu Nov 4 20:58:59 PST 2004 

Mark Crispin <mrc at CAC.Washington.EDU> writes:
> On Thu, 4 Nov 2004, Andrew - Supernews wrote:

>> It's relevent, but the reasons for that may not become clear unless you
>> answer the question.

> I know, you're going to give me the "TLS is too expensive" argument.

> The fallacy is that this assumes current conditions.  When engineering a
> protocol, we must consider the conditions of the future.

It's probably a mistake to stick my ore in here, but in the hope that I
can try to explain where large site administrators like Andrew are coming
from....

I understand your point about security, but the content transmitted via
NNTP is public information to several nines.  Sites that deal with private
newsgroups do indeed have to worry about the things that you talk about;
sites that deal with the public Usenet simply don't, and won't, because
it's unnecessary work.  The data that security measures would normally
protect is not worth protecting.  The cost/benefit tradeoff for using TLS
routinely, at least for reading (posting can be a separate issue) is
wrong, and nothing we say in a standard will change that.

I *wholeheartedly* agree with you that NNTP has wandered far out in the
woods, ignored lessons from other protocols, and made a mess of itself by
doing things its own way.  It is, by and large, not special, not
different, and doesn't need its own solutions to problems.  However, there
is one way in which NNTP actually is legitimately different than other
protocols mentioned in this discussion, and that's that nearly all traffic
it transmits is public information neither requiring nor wanting any sort
of protection.  In this respect, the best analog to another protocol is
actually to HTTP, and the common case for HTTP traffic is to not encrypt
it and not protect it for very similar reasons.  NNTP does do more
authentication than HTTP (*particularly* for posting), but I don't think
the benefits of authentication for the typical NNTP server even reach the
level of SMTP, let alone something like IMAP or POP.

Yes, the facilities have to exist to deal with the difference between
almost and all, but NNTP does have a significantly different common case,
and hence when one tries to optimize for the common case, one ends up
taking different tradeoffs.

Anyway, I don't think that we have to agree on this to figure out the
right protocol design for the current document, so we probably don't
really need to argue over it.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the ietf-nntp mailing list