[NNTP] STARTTLS and authentication
Russ Allbery
rra at stanford.edu
Mon Jun 13 09:20:03 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> Do we want to allow a client to authenticate using STARTTLS alone (by
> presenting a client certificate), or do we always want the client to use
> AUTHINFO SASL EXTERNAL? RFC 3501 (IMAP) has the following paragraph:
> "The server remains in the non-authenticated state, even if client
> credentials are supplied during the [TLS] negotiation. This does
> not preclude an authentication mechanism such as EXTERNAL (defined
> in [SASL]) from using client identity determined by the [TLS]
> negotiation."
> The STLS command for POP (RFC 2595) has similar text (not surprising
> since the IMAP text also came from RFC 2595).
> Our current text doesn't seem to explicitly forbid a server from using
> just the client cert alone.
We should require AUTHINFO SASL EXTERNAL, just because I don't want to try
to figure out what the problems with not requiring it might be. :)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list