[NNTP] STARTTLS and authentication
Ken Murchison
ken at oceana.com
Mon Jun 13 07:43:49 PDT 2005
Do we want to allow a client to authenticate using STARTTLS alone (by
presenting a client certificate), or do we always want the client to use
AUTHINFO SASL EXTERNAL? RFC 3501 (IMAP) has the following paragraph:
"The server remains in the non-authenticated state, even if client
credentials are supplied during the [TLS] negotiation. This does
not preclude an authentication mechanism such as EXTERNAL (defined
in [SASL]) from using client identity determined by the [TLS]
negotiation."
The STLS command for POP (RFC 2595) has similar text (not surprising
since the IMAP text also came from RFC 2595).
Our current text doesn't seem to explicitly forbid a server from using
just the client cert alone.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list