[NNTP] STARTTLS diffs
Russ Allbery
rra at stanford.edu
Mon Jun 13 01:47:18 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> Jeffrey M. Vinocur wrote:
>> On Jun 10, 2005, at 12:39 PM, Ken Murchison wrote:
>>
>>> + network is no longer appropriate, and sometimes integrity and/or
>>> + confidentiality protection is desired for the entire connection.
>> "are desired"? I'm not sure how to conjugate with an "and/or" but the
>> "is" looks funny to me.
> I'm not sure which is more appropriate. I think arguments can be made for
> both. Any other opinions?
It's one of those areas of English where either seems to be used. I think
it's fine.
>> This is stronger than we had before, and I think I like it. My only
>> hesitation is, I think the user should have the ability to turn off the
>> hostname checking (for the case in which he does not expect it to
>> match, since that's fairly common at present).
>> For that to happen, do we have to do something like "the client MUST
>> have the ability to check...and this MUST be the default
>> configuration"?
> Hmm, not sure.
I think we have it covered. I like the current wording. It says one MUST
check but then SHOULD do something about the results of the check, which
provides an out for local configuration (and then one might not check
under an as-if rule, but that's not our business). This text errs on the
side of security, which is what we should do.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list