[NNTP] NNTP working group status

Ken Murchison ken at oceana.com
Wed Nov 10 06:59:56 PST 2004 

ned.freed at mrochek.com wrote:

>> ned.freed at mrochek.com wrote:
> 
> 
>> > I agree with this assessment, although I have yet to review the 
>> STARTTLS
>> > draft to see if it meets all of the newer things the security folks 
>> want
>> > out of TLS in more recent protocols.
> 
> 
>> Ned, do you have a reference to these "newer things" so I can get a jump
>> on them?
> 
> 
> They came up in the MSGTRK group and ended up in RFC 3887. Basically 
> what was
> called for was a parameter on STARTTLS specifying the domain name of the 
> server
> the client believes it is talking to. In the words of RFC 3887:
> 
>   The parameter MUST be a fully qualified domain name (FQDN).  A client
>   MUST specify the hostname it believes it is speaking with so that the
>   server may respond with the proper TLS certificate.  This is useful
>   for virtual servers that provide message tracking for multiple
>   domains (i.e., virtual hosting).

Doh!  My co-author originally had such a parameter for NNTP STARTTLS, 
but I told him that it was unnecessary given the "Server Name 
Indication" TLS extension (RFC 3546, section 3.1).  We mention 
implementation of this as a SHOULD in the draft.  Is this not 
sufficient?  It seems to make more sense to me to handle TLS specific 
stuff within TLS itself, but I could be wrong.  I'm curious why MSGTRK 
was forced to do this at the application level rather than within TLS.

One problem with the wording in RFC 3887 as far as NNTP is concerned is 
that there already is existing deployment of STARTTLS without such an 
argument.  At the very least, if we add a domain argument to STARTTLS it 
would probably have to be optional for backwards compatibility.

I realize you're probably busy at IETF, but would you be able to query a 
couple of security guys on this and let me know if we are going to have 
to change the doc?  I'd prefer to do it before we send it off to IESG 
and ultimiately have it bounced.

Thanks,
Ken
-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list