[NNTP] Fwd: Discuss: nntp authinfo and tls

Russ Allbery rra at stanford.edu
Thu Jul 21 18:23:13 PDT 2005 

Here's more on the canonicalization point.  Ted Hardie also indicated that
a byte-for-byte comparison was okay with him.


To: Russ Allbery <rra at stanford.edu>
Cc: "Scott Hollenbeck" <sah at 428cobrajet.net>,
        "'Wijnen, Bert (Bert)'" <bwijnen at lucent.com>, iesg at ietf.org
Subject: Re: Discuss: nntp authinfo and tls
From: Sam Hartman <hartmans-ietf at mit.edu>
Date: Thu, 21 Jul 2005 12:36:34 -0400

>>>>> "Russ" == Russ Allbery <rra at stanford.edu> writes:

    Russ> Sam Hartman <hartmans-ietf at mit.edu> writes:
    >>>>>>> "Scott" == Scott Hollenbeck <sah at 428cobrajet.net> writes:

    Scott> Beat me to it, Bert.  I think the saslprep piece of what
    Scott> Sam asked for is already covered.

    >> no, that's the authorization identity, which is only used in
    >> authinfo sasl, not authinfo user/authinfo pass.

    Russ> authinfo user / authinfo pass is documentation of a legacy
    Russ> protocol.  I'm not sure we really should have even said the
    Russ> character set was UTF-8, since in practice what existing
    Russ> servers do is a byte-for-byte comparison of what's sent to
    Russ> those commands with their authentication database.

I'd be happy with not specifying a character string.  I don't know if the
rest of the IESG would agree with this.

    Russ> I'm not sure the best way to deal with this.  Guidance would
    Russ> be welcome.  Requiring a normalization pass would mean that
    Russ> existing software would have to be modified to support the
    Russ> protocol, which pretty much defeats the whole point; at that
    Russ> point, existing software may as well just implement SASL
    Russ> (which is the recommendation going forward).


I would recommend a normalization pass, not require it.  It is a true
statement that if you don't normalize then you have interoperability
problems for all the reasons that stringprep exists.  IIf I were in
your position I'd change the document to briefly describe why you want
to normalize and to give a specific recommendation for one way to do
normalization.  I understand that legacy servers will not implement
this.  However it seems like for a modern server that backs the same
database for user/pass and for sasl plain would want to do
normalization for both.

More information about the ietf-nntp mailing list