[NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
Julien ÉLIE
julien at trigofacile.com
Sat Dec 17 06:16:28 PST 2016
Hi Sabahattin,
>> TCP port 563 is dedicated to NNTP over TLS, and registered in the
>> IANA Service Name and Transport Protocol Port Number Registry for
>> that usage. NNTP implementations using TCP port 563 begin the TLS
>> negotiation immediately upon connection and then continue with the
>> initial steps of an NNTP session. This use of strict TLS on a
>> separate port is the preferred way of using TLS with NNTP.
>>
>> If a host wishes to offer separate servers for transit and reading
>> clients, TCP port 563 SHOULD be used for the reading server using
>> strict TLS. Regarding the transit server, though TCP port 433 is
>> registered for NNSP (Network News Streaming Protocol), no dedicated
>> port is currently registered for NNSP over TLS. If a transit server
>> offers strict TLS, it SHOULD either use TCP port 433 if it does not
>> accept connections without TLS, or another unused port of its choice
>> communicated to all its clients using strict TLS.
>
> This is pretty neat, but I'd like to make the last point
> unambiguous,like this:
>
> If a transit server offers strict TLS, it SHOULD use TCP port 433 if
> it does not accept connections without TLS, but can alternatively use
> another unused port of its choice. In either case, the port used should
> be clearly communicated to the client as the port used for strict TLS,
> and specifically that no plain-text communication occurs before the TLS
> session is negotiated.
>
> If you can make that clearer, be my guest. :)
Thanks for your proposal, that I suggested to the reviewer from the
security directorate during Last Call. It finally appeared
over-complicated to use port 433 sometimes for strict TLS, and sometimes
not, only depending on how the configuration of the server is done.
Here is the current text. I hope you're fine with it. Otherwise,
please tell what you reckon is wrong.
The third and fourth paragraphs in Section 1 of [RFC4642] are
replaced with the following text:
TCP port 563 is dedicated to NNTP over TLS, and registered in the
IANA Service Name and Transport Protocol Port Number Registry for
that usage. NNTP implementations using TCP port 563 begin the TLS
negotiation immediately upon connection and then continue with the
initial steps of an NNTP session. This use of strict TLS on a
separate port is the preferred way of using TLS with NNTP.
If a host wishes to offer separate servers for transit and reading
clients, TCP port 563 SHOULD be used for strict TLS with the
reading server, and an unused port of its choice different than
TCP port 433 SHOULD be used for strict TLS with the transit
server. The ports used for strict TLS should be clearly
communicated to the clients, and specifically that no plain-text
communication occurs before the TLS session is negotiated.
As some existing implementations negotiate TLS via a dynamic
upgrade from unencrypted to TLS-protected traffic during an NNTP
session on well-known TCP ports 119 or 433, this specification
formalizes the STARTTLS command in use for that purpose. However,
as already mentioned above, implementations SHOULD use strict TLS
on a separate port.
Note: a common alternative to protect NNTP exchanges with transit
servers that do not implement TLS is the use of IPsec with
encryption [RFC4301].
I've also added your name in the Acknowledgments Section.
--
Julien ÉLIE
« Ma parole… Vous êtes soûls ! Heu ! Sourds… » (Astérix)
More information about the ietf-nntp
mailing list