[NNTP] STARTTLS and authentication

Ken Murchison ken at oceana.com
Mon Jun 13 07:43:49 PDT 2005


Do we want to allow a client to authenticate using STARTTLS alone (by 
presenting a client certificate), or do we always want the client to use 
AUTHINFO SASL EXTERNAL?  RFC 3501 (IMAP) has the following paragraph:

       "The server remains in the non-authenticated state, even if client
       credentials are supplied during the [TLS] negotiation.  This does
       not preclude an authentication mechanism such as EXTERNAL (defined
       in [SASL]) from using client identity determined by the [TLS]
       negotiation."


The STLS command for POP (RFC 2595) has similar text (not surprising 
since the IMAP text also came from RFC 2595).

Our current text doesn't seem to explicitly forbid a server from using 
just the client cert alone.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp



More information about the ietf-nntp mailing list