[NNTP] Registering NNTP and NNSP as ALPN identifiers

Julien ÉLIE julien at trigofacile.com
Sun Sep 19 03:35:06 PDT 2021 

Hi all,

The UTA WG (Using TLS in Applications) is currently revising RFC 7525 
about TLS recommendations.
   https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/

In its last -02 draft, they added:

   Protocol developers are strongly encouraged to register an ALPN
   identifier for their protocols.  This applies to new protocols, as
   well as well-established protocols such as SMTP.

And also in -01:

   TLS implementations (both client- and server-side) MUST support the
   Application-Layer Protocol Negotiation (ALPN) extension [RFC7301].
   In order to prevent "cross-protocol" attacks resulting from failure
   to ensure that a message intended for use in one protocol cannot be
   mistaken for a message for use in another protocol, servers should
   strictly enforce the behavior prescribed in Section 3.2 of [RFC7301]:
   "In the event that the server supports no protocols that the client
   advertises, then the server SHALL respond with a fatal
   "no_application_protocol" alert."  It is also RECOMMENDED that
   clients abort the handshake if the server acknowledges the ALPN
   extension, but does not select a protocol from the client list.
   Failure to do so can result in attacks such those described in
   [ALPACA].


It refers to RFC 7301 and the following IANA registry:
 
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids

APLN permits multi-protocols for instance on the HTTPS port.
I've seen that sslh (a ssl/ssh multiplexer) makes use of ALPN, so it 
could make sense for sharing an NNTP connection on the same port as 
other services.

Would you be OK for the registration of our IDs?
I can send the request for "nntp" and "nnsp".



P.-S.:  Note that we also have "netnews" on port 532 reserved for us but 
not used nowadays.  Not worth registering it I believe.

-- 
Julien ÉLIE

« Vous savez, les idées, elles sont dans l'air. Il suffit que quelqu'un
   vous en parle de trop près, pour que vous les attrapiez ! » (Raymond
   Devos)

More information about the ietf-nntp mailing list