[NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard

Sabahattin Gucukoglu listsebby at me.com
Sat Dec 17 10:18:36 PST 2016


Hi,

On 17 Dec 2016, at 14:16, Julien ÉLIE <julien at trigofacile.com> wrote:
> Thanks for your proposal, that I suggested to the reviewer from the security directorate during Last Call.  It finally appeared over-complicated to use port 433 sometimes for strict TLS, and sometimes not, only depending on how the configuration of the server is done.

This is completely understandable. :)  It would have been a matter of mutual agreement only, which is always going to risk confusion.

> Here is the current text.  I hope you're fine with it.  Otherwise, please tell what you reckon is wrong.
> 
> 
>   The third and fourth paragraphs in Section 1 of [RFC4642] are
>   replaced with the following text:
> 
>      TCP port 563 is dedicated to NNTP over TLS, and registered in the
>      IANA Service Name and Transport Protocol Port Number Registry for
>      that usage.  NNTP implementations using TCP port 563 begin the TLS
>      negotiation immediately upon connection and then continue with the
>      initial steps of an NNTP session.  This use of strict TLS on a
>      separate port is the preferred way of using TLS with NNTP.
> 
>      If a host wishes to offer separate servers for transit and reading
>      clients, TCP port 563 SHOULD be used for strict TLS with the
>      reading server, and an unused port of its choice different than
>      TCP port 433 SHOULD be used for strict TLS with the transit
>      server.  The ports used for strict TLS should be clearly
>      communicated to the clients, and specifically that no plain-text
>      communication occurs before the TLS session is negotiated.
> 
>      As some existing implementations negotiate TLS via a dynamic
>      upgrade from unencrypted to TLS-protected traffic during an NNTP
>      session on well-known TCP ports 119 or 433, this specification
>      formalizes the STARTTLS command in use for that purpose.  However,
>      as already mentioned above, implementations SHOULD use strict TLS
>      on a separate port.
> 
>      Note: a common alternative to protect NNTP exchanges with transit
>      servers that do not implement TLS is the use of IPsec with
>      encryption [RFC4301].

This is very reasonable.  No confusion about existing ports and clear that arranged strict TLS is preferable.  I don't have any objection at all.  Peering arrangements always make it possible to arrange the ports in use.

> I've also added your name in the Acknowledgments Section.

Thanks.

Cheers,
Sabahattin


More information about the ietf-nntp mailing list