[NNTP] NNTP Extensions drafts
Russ Allbery
rra at stanford.edu
Mon May 23 10:53:30 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> On second thought, RFC 2831bis (DIGEST-MD5) is deprecating the 3DES
> cipher (because of a CBC mode attack) and mandating AES.
> We're currently mandating DIGEST-MD5 for interoperability, so I don't
> know how we want to handle this. One alternative is to mandate CRAM-MD5
> (which is less secure), or TLS+PLAIN (which is what the latest IMAP4
> update does), but I'm guessing we'll get a big pushback from members of
> the WG.
> Another alternative is to block this doc while waiting for a new SASL
> mech which resembles PASSDSS. I've been meaning to write this up for a
> while, but haven't gotten to it yet. Members of the SASL WG feel that
> such a mech would be a useful thing.
If we don't publish all of our docs at right around the same time, we run
into the same problem we ran into with LIST EXTENSIONS where servers may
start implementing NNTPv2 and not advertise AUTHINFO. I really don't want
to end up in that situation.
Because of that, blocking until we have PASSDSS really isn't appealing to
me. Blocking the whole set of documents until some of the updates to
other documents have been published is annoying, but possible I guess.
Really, though, I'd rather get everything out with as few external
hold-ups as we can.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list