[NNTP] STARTTLS diffs
Ken Murchison
ken at oceana.com
Sun Jun 12 15:27:42 PDT 2005
Jeffrey M. Vinocur wrote:
> On Jun 10, 2005, at 12:39 PM, Ken Murchison wrote:
>
>> + network is no longer appropriate, and sometimes integrity and/or
>> + confidentiality protection is desired for the entire connection.
>
>
> "are desired"? I'm not sure how to conjugate with an "and/or" but the
> "is" looks funny to me.
I'm not sure which is more appropriate. I think arguments can be made
for both. Any other opinions?
>> - The STARTTLS extension provides a way to use the popular TLS [TLS]
>> - service with the existing NNTP protocol. [...]
>
>
> I really like what you did with this paragraph.
>
>
>> + [...] TLS is complimentary to simple
>> + authentication-only SASL mechanisms or deployed clear-text password
>> + login commands.
>
>
> TLS is complimentary to both simple, authentication-only SASL
> mechanisms, and widely-deployed clear-text password authentication.
>
> ?
Sure.
>> + During the TLS negotiation, the client MUST check its understanding
>> + of the server hostname against the server's identity as presented
>> + in the server Certificate message, in order to prevent man-in-the-
>> + middle attacks.
>
>
> This is stronger than we had before, and I think I like it. My only
> hesitation is, I think the user should have the ability to turn off the
> hostname checking (for the case in which he does not expect it to match,
> since that's fairly common at present).
>
> For that to happen, do we have to do something like "the client MUST
> have the ability to check...and this MUST be the default configuration"?
Hmm, not sure.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list