[NNTP] Fwd: Discuss: nntp authinfo and tls
Russ Allbery
rra at stanford.edu
Thu Jul 21 18:23:13 PDT 2005
Here's more on the canonicalization point. Ted Hardie also indicated that
a byte-for-byte comparison was okay with him.
To: Russ Allbery <rra at stanford.edu>
Cc: "Scott Hollenbeck" <sah at 428cobrajet.net>,
"'Wijnen, Bert (Bert)'" <bwijnen at lucent.com>, iesg at ietf.org
Subject: Re: Discuss: nntp authinfo and tls
From: Sam Hartman <hartmans-ietf at mit.edu>
Date: Thu, 21 Jul 2005 12:36:34 -0400
>>>>> "Russ" == Russ Allbery <rra at stanford.edu> writes:
Russ> Sam Hartman <hartmans-ietf at mit.edu> writes:
>>>>>>> "Scott" == Scott Hollenbeck <sah at 428cobrajet.net> writes:
Scott> Beat me to it, Bert. I think the saslprep piece of what
Scott> Sam asked for is already covered.
>> no, that's the authorization identity, which is only used in
>> authinfo sasl, not authinfo user/authinfo pass.
Russ> authinfo user / authinfo pass is documentation of a legacy
Russ> protocol. I'm not sure we really should have even said the
Russ> character set was UTF-8, since in practice what existing
Russ> servers do is a byte-for-byte comparison of what's sent to
Russ> those commands with their authentication database.
I'd be happy with not specifying a character string. I don't know if the
rest of the IESG would agree with this.
Russ> I'm not sure the best way to deal with this. Guidance would
Russ> be welcome. Requiring a normalization pass would mean that
Russ> existing software would have to be modified to support the
Russ> protocol, which pretty much defeats the whole point; at that
Russ> point, existing software may as well just implement SASL
Russ> (which is the recommendation going forward).
I would recommend a normalization pass, not require it. It is a true
statement that if you don't normalize then you have interoperability
problems for all the reasons that stringprep exists. IIf I were in
your position I'd change the document to briefly describe why you want
to normalize and to give a specific recommendation for one way to do
normalization. I understand that legacy servers will not implement
this. However it seems like for a modern server that backs the same
database for user/pass and for sasl plain would want to do
normalization for both.
More information about the ietf-nntp
mailing list