[NNTP] Re: Comments on draft-ietf-nntp-tls-nntp-05.txt
Ade Lovett
ade at lovett.com
Fri May 27 22:33:48 PDT 2005
On May 27, 2005, at 03:49 , Brian E Carpenter wrote:
> Sure, encryption and decryption on fat pipes is expensive.
> That's a well understood problem where I work. But is
> there anything specific to NNTP in this observation? Why would
> NNTP deserve a get out of jail card, and not other
> applications protocols?
Compare the ratio of that part of an NNTP client/server exchange that
"requires" encryption (essentially a secure version of AUTHINFO USER/
PASS for non-plaintext transfers), and that part that does not --
downloading articles that are in the public domain.
If a particular connection wants to merely transmit authentication
information securely, why should both sides then have to continue
with such encryption for article data? Once could argue that in the
case where articles "need" to be transmitted securely, the nntps port
is just sitting there, just as with http vs https.
"Secure" (or, rather, non-plaintext) authentication is something that
comes up frequently in customer communication, both consumer and
corporate outsourced. Backend communication (once the NNTP server
has received the information, and then processes it somewhere) is
handled "securely" -- RADIUS and its shared secrets account for a
considerable part of such behind the scenes verification, but having
to maintain encryption overhead beyond authentication seems to be
exceptional overkill.
-aDe
More information about the ietf-nntp
mailing list