[NNTP] STARTTLS diffs

Russ Allbery rra at stanford.edu
Sat Jun 25 12:00:00 PDT 2005


Ken Murchison <ken at oceana.com> writes:
> EKR wrote:

>> In some sense this is fine, as it embodies the RFC 2818 model of the
>> universe. However, it doesn't really match up so well with a self-signed
>> cert model, in which it doesn't really matter what
>> the DN is, b/c you're trusting it explicitly anyway... I mean,
>> you *can* check the domain name, but why bother....
>> I'm not sure what model you expect people to be using...

> I'm expecting the NNTP STARTTLS implementation to be as close as
> possible to IMAP, POP3 and SMTP.  All three of these specs have similar
> wording.  In fact, I took this wording from either RFC 3501 or RFC
> 2595. Is there something different about NNTP that makes the above text
> silly/useless or are you saying that its silly/useless for all of the
> messaging protocols?

> Would you completely remove the above text from the NNTP STARTTLS
> document?

After reviewing this, I think Ken's text makes sense for NNTP.  Currently,
most of the NNTP clients that do TLS are reusing the same code from a mail
component that also does TLS, and I know from experience that they do
verify certificates, including self-signed ones.  I'm not sure that we're
realistically going to have a choice about the cert verification model;
vendors are going to strongly tend towards reusing the cert verification
model they're already using for other protocols, which does the domain
name checking.

As you mention, for self-signed certificates it doesn't really matter
whether you check it or not -- it's not difficult to get the domain name
correct in the certificate.  Since for certain other trust models, it
*does* matter, I would rather just require that clients check.

Ken, could you go ahead and submit the revised draft for publication as an
I-D?  Eric, if you object given the above, please do let us know; I don't
mean to cut off discussion, but since my guess is that we won't need to
change this text, I'd rather get the revised draft into the queue so that
we don't have to worry about it later.

Our current intention is to declare things done by the middle of July to
hit the next IESG review after our AD's vacation.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list