[NNTP] AUTHINFO and STARTTLS interaction
Russ Allbery
rra at stanford.edu
Wed Sep 29 12:00:34 PDT 2004
Ken Murchison <ken at oceana.com> writes:
> Contrary to what I may have said previously, I don't think we *have* to
> prevent STARTTLS from being used after AUTHINFO. As long as we specify
> in which order the layers are applied (per Section 4, req. 7 of RFC
> 2222bis), I think we are free to allow STARTTLS before or after
> AUTHINFO. I believe that this is something that was discussed in the
> past and there was support for it. Do we want to revisit this, or just
> continue to disallow STARTTLS after AUTHINFO? Since I'm not a security
> expert, I don't know what, if any, flags this might raise.
I think it would be simpler overall to not have that restriction, since I
think we've already specified the order of application of the layers
elsewhere. But I don't know about the security considerations either. I
can't think of any off-hand, but that doesn't necessarily mean anything
for security issues.
Is there a TLS or SASL group where we could ask?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list