[NNTP] Re: Comments on draft-ietf-nntp-tls-nntp-05.txt

Ken Murchison ken at oceana.com
Tue May 24 12:14:54 PDT 2005


Russ Allbery wrote:

> EKR <ekr at networkresonance.com> writes:
> 
> 
>>Sure, but now we're into the "is this a worthwhile optimization" phase.
> 
> 
> Right, understood.  I do agree that that's a question to ponder.
> 
> 
>>There's a substantial complexity cost to having SSL/TLS implementations
>>rehandshake. If you just wanted to do NULL all the time, I'd have no
>>real argument with that. It's the desire to negotiate RC4 (or whatever)
>>and then back down to NULL that I think needs to be supported with
>>measurements.
> 
> 
> That makes sense.  I don't think that down-negotiation is the approach
> that anyone really wants; what we want is widespread deployment of a SASL
> mechanism that encrypts the password but still sends it.  Unfortunately,
> widespread deployment of any new SASL mechanism takes a long time (for
> good reasons).  However, widespread deployment of TLS down-negotiation is
> probably also not likely to happen quickly, so maybe that doesn't actually
> help.

Unless someone vigorously objects, I think I'm going to remove any 
mention of down-negotiation from the draft.  I will be drafting an 
update to the expired PASSDSS SASL mech soon, which would hopefully be 
the best alternative to TLS+PLAIN.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp



More information about the ietf-nntp mailing list