[NNTP] AUTHINFO diffs (take 2)
Russ Allbery
rra at stanford.edu
Thu Jun 9 10:20:27 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> Here are updated diffs. I've removed sections 0, and moved the note to
> the RFC editor up above the TOC. I've also gone back to using
> draft-ietf-sasl-rfc2831bis as normative.
> As soon as I get a thumbs up from Russ, I'll submit it.
The only remaining concern that I have is that recent IETF traffic and
comments from Sam Hartman lead me to wonder if CRAM-MD5 is something that
we shouldn't be mentioning. Apparently, it's vulnerable to MITM attacks
and doesn't really make the security community happy.
Our only references to it are as an example of another auth mechanism, as
near as I can tell. Maybe we should use GSSAPI for that example instead
of CRAM-MD5?
It's not a big deal since it's just an example and an informative
reference, but I don't know if it might be better to be safe.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list