[NNTP] Re: Comments on draft-ietf-nntp-tls-nntp-05.txt

[Ade Lovett]

On May 27, 2005, at 03:49 , Brian E Carpenter wrote:

> Sure, encryption and decryption on fat pipes is expensive.
> That's a well understood problem where I work. But is
> there anything specific to NNTP in this observation? Why would
> NNTP deserve a get out of jail card, and not other
> applications protocols?

Compare the ratio of that part of an NNTP client/server exchange that  
"requires" encryption (essentially a secure version of AUTHINFO USER/ 
PASS for non-plaintext transfers), and that part that does not --  
downloading articles that are in the public domain.

If a particular connection wants to merely transmit authentication  
information securely, why should both sides then have to continue  
with such encryption for article data?  Once could argue that in the  
case where articles "need" to be transmitted securely, the nntps port  
is just sitting there, just as with http vs https.

"Secure" (or, rather, non-plaintext) authentication is something that  
comes up frequently in customer communication, both consumer and  
corporate outsourced.  Backend communication (once the NNTP server  
has received the information, and then processes it somewhere) is  
handled "securely" -- RADIUS and its shared secrets account for a  
considerable part of such behind the scenes verification, but having  
to maintain encryption overhead beyond authentication seems to be  
exceptional overkill.

-aDe