[NNTP] AUTHINFO and STARTTLS interaction
Ken Murchison
ken at oceana.com
Wed Sep 29 12:23:18 PDT 2004
Russ Allbery wrote:
> Ken Murchison <ken at oceana.com> writes:
>
>
>>Contrary to what I may have said previously, I don't think we *have* to
>>prevent STARTTLS from being used after AUTHINFO. As long as we specify
>>in which order the layers are applied (per Section 4, req. 7 of RFC
>>2222bis), I think we are free to allow STARTTLS before or after
>>AUTHINFO. I believe that this is something that was discussed in the
>>past and there was support for it. Do we want to revisit this, or just
>>continue to disallow STARTTLS after AUTHINFO? Since I'm not a security
>>expert, I don't know what, if any, flags this might raise.
>
>
> I think it would be simpler overall to not have that restriction, since I
> think we've already specified the order of application of the layers
> elsewhere. But I don't know about the security considerations either. I
> can't think of any off-hand, but that doesn't necessarily mean anything
> for security issues.
Would removing this restriction make people happier with the language in
the draft and possible implementation choices? I know some people
didn't want to have to negotiate TLS at the start of a session just
because one of many groups might require it. Note that there still
isn't any way to disable TLS once negotiated (other than re-negotiating
down to the NULL cipher).
> Is there a TLS or SASL group where we could ask?
I can ask some SASL/IMAP/POP3/SMTP people.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list