[NNTP] Re: Comments on draft-ietf-nntp-tls-nntp-05.txt

[Russ Allbery]

EKR <ekr at networkresonance.com> writes:

> Sure, but now we're into the "is this a worthwhile optimization" phase.

Right, understood.  I do agree that that's a question to ponder.

> There's a substantial complexity cost to having SSL/TLS implementations
> rehandshake. If you just wanted to do NULL all the time, I'd have no
> real argument with that. It's the desire to negotiate RC4 (or whatever)
> and then back down to NULL that I think needs to be supported with
> measurements.

That makes sense.  I don't think that down-negotiation is the approach
that anyone really wants; what we want is widespread deployment of a SASL
mechanism that encrypts the password but still sends it.  Unfortunately,
widespread deployment of any new SASL mechanism takes a long time (for
good reasons).  However, widespread deployment of TLS down-negotiation is
probably also not likely to happen quickly, so maybe that doesn't actually
help.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>