[NNTP] AUTHINFO and STARTTLS interaction

[Ken Murchison]

Russ Allbery wrote:

> Ken Murchison <ken at oceana.com> writes:
> 
> 
>>Contrary to what I may have said previously, I don't think we *have* to
>>prevent STARTTLS from being used after AUTHINFO.  As long as we specify
>>in which order the layers are applied (per Section 4, req. 7 of RFC
>>2222bis), I think we are free to allow STARTTLS before or after
>>AUTHINFO.  I believe that this is something that was discussed in the
>>past and there was support for it.  Do we want to revisit this, or just
>>continue to disallow STARTTLS after AUTHINFO?  Since I'm not a security
>>expert, I don't know what, if any, flags this might raise.
> 
> 
> I think it would be simpler overall to not have that restriction, since I
> think we've already specified the order of application of the layers
> elsewhere.  But I don't know about the security considerations either.  I
> can't think of any off-hand, but that doesn't necessarily mean anything
> for security issues.

Would removing this restriction make people happier with the language in 
the draft and possible implementation choices?  I know some people 
didn't want to have to negotiate TLS at the start of a session just 
because one of many groups might require it.  Note that there still 
isn't any way to disable TLS once negotiated (other than re-negotiating 
down to the NULL cipher).


> Is there a TLS or SASL group where we could ask?

I can ask some SASL/IMAP/POP3/SMTP people.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp