[NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
Sabahattin Gucukoglu
listsebby at me.com
Sat Dec 17 10:18:36 PST 2016
Hi,
On 17 Dec 2016, at 14:16, Julien ÉLIE <julien at trigofacile.com> wrote:
> Thanks for your proposal, that I suggested to the reviewer from the security directorate during Last Call. It finally appeared over-complicated to use port 433 sometimes for strict TLS, and sometimes not, only depending on how the configuration of the server is done.
This is completely understandable. :) It would have been a matter of mutual agreement only, which is always going to risk confusion.
> Here is the current text. I hope you're fine with it. Otherwise, please tell what you reckon is wrong.
>
>
> The third and fourth paragraphs in Section 1 of [RFC4642] are
> replaced with the following text:
>
> TCP port 563 is dedicated to NNTP over TLS, and registered in the
> IANA Service Name and Transport Protocol Port Number Registry for
> that usage. NNTP implementations using TCP port 563 begin the TLS
> negotiation immediately upon connection and then continue with the
> initial steps of an NNTP session. This use of strict TLS on a
> separate port is the preferred way of using TLS with NNTP.
>
> If a host wishes to offer separate servers for transit and reading
> clients, TCP port 563 SHOULD be used for strict TLS with the
> reading server, and an unused port of its choice different than
> TCP port 433 SHOULD be used for strict TLS with the transit
> server. The ports used for strict TLS should be clearly
> communicated to the clients, and specifically that no plain-text
> communication occurs before the TLS session is negotiated.
>
> As some existing implementations negotiate TLS via a dynamic
> upgrade from unencrypted to TLS-protected traffic during an NNTP
> session on well-known TCP ports 119 or 433, this specification
> formalizes the STARTTLS command in use for that purpose. However,
> as already mentioned above, implementations SHOULD use strict TLS
> on a separate port.
>
> Note: a common alternative to protect NNTP exchanges with transit
> servers that do not implement TLS is the use of IPsec with
> encryption [RFC4301].
This is very reasonable. No confusion about existing ports and clear that arranged strict TLS is preferable. I don't have any objection at all. Peering arrangements always make it possible to arrange the ports in use.
> I've also added your name in the Acknowledgments Section.
Thanks.
Cheers,
Sabahattin
More information about the ietf-nntp
mailing list