Path: utzoo!utstat!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!ctrsol!sdsu!ucsd!brian
From: brian@ucsd.Edu (Brian Kantor)
Newsgroups: news.software.nntp
Subject: Re: Suggested NNTP enhancements for user access control
Message-ID: <10125@ucsd.Edu>
Date: 12 Nov 89 18:40:41 GMT
References: <10095@ucsd.Edu> <11212@cbnews.ATT.COM>
Reply-To: brian@ucsd.edu (Brian Kantor)
Organization: The Avant-Garde of the Now, Ltd.
Lines: 26

Mark, you are reading too much into the spec.  A more precise statement
of the semantics of the USER command is

	USER <site-dependent-string>

i.e., the spec doesn't call for ANY specific syntax or content of the
string following the USER command.  That means that login procedures
for the NNTP server at any particular host are as configurable as is the
interactive (user terminal) login itself.  If that requires a specific
n-tuple of parameters, so be it.  N can always be 1 if that's the way
your host wants to do it.

Specification or requirement of encryption and of user identification
and/or verification does not belong in the NNTP spec.  All we have to
do is provide a facility for in-band exchange of tokens for the people
who want to do that.

If it is desired to have a specification of the methods of user
verification used over the internet, that should be the subject of a
separate RFC.  As it would undoubtedly apply to telnet, rlogin, ftp,
smtp, and nntp, it is a matter which needs careful consideration
and shouldn't be hacked into one particular transport protocol
specification.

I hope you can see why I'm trying so hard to keep these separate!
	- Brian