[NNTP] Re: FW: GenART reviews of draft-ietf-nntpext-tls-nntp-07 and
draft-ietf-nntpext-authinfo-09
Lakshminath Dondeti
ldondeti at qualcomm.com
Sat Jul 30 22:01:38 PDT 2005
(Apologies for not closing the thread earlier -- was in the middle of a
US coast-to-coast move last 2 weeks)
From my POV all issues on this thread have been addressed and closed.
I am glad to know that down-negotiation was considered.
Brian voted "No Obj" on this, so none of the comments are blocking in
the first place.
thanks and regards,
Lakshminath
Russ Allbery wrote:
>>From: Lakshminath Dondeti [mailto:ldondeti at qualcomm.com]
>>
>>
>
>
>
>>Request for clarification
>>---------------------------
>>The applications of secure transport (from the authinfo I-D) are: "to
>>control resource consumption," "to allow abusers of the POST command to
>>be identified," and "to restrict access to "local" groups."
>>
>>
>
>
>
>>The last one does require an encrypted channel, but I don't think the
>>other two do. An authenticated (integrity-protected) channel might be
>>sufficient for some applications. For applications which do not require
>>confidentiality, why waste resources or put another way why slowdown
>>downloads by making Encryption a MUST? Thus, I think it would make
>>sense for the drafts to specify an integrity only security layer as a
>>MUST/SHOULD (e.g., TLS_RSA_WITH_NULL_SHA).
>>
>>
>
>
>
>>I am curious if the WG had this discussion. If there was such a
>>discussion and the drafts reflect the consensus, please ignore my
>>comment above. If not, perhaps it makes sense to specify such a mode
>>for efficient operation.
>>
>>
>
>I'm not sure that I understand the clarification request.
>
>TLS is only required for AUTHINFO USER/PASS or for SASL PLAIN, not for the
>general SASL mechanism. It's required there because the actual password
>is being transmitted, and therefore encryption is required to protect it
>from interception. We did discuss the possibility of down-negotiation of
>the confidentiality layer after authentication, but the working group (in
>consultation with TLS experts) concluded that correct specification and
>implementation of down-negotiation were too complex and unusual to be a
>viable option.
>
>When using a different SASL mechanism, confidentiality is not required.
>
>
>
More information about the ietf-nntp
mailing list