Path: utzoo!utstat!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!usc!apple!genet!lear From: lear@GENBANK.BIO.NET (Eliot Lear) Newsgroups: news.software.nntp Subject: Re: Suggested NNTP enhancements for user access control Message-ID: Date: 13 Nov 89 01:28:41 GMT References: <10095@ucsd.Edu> <11212@cbnews.ATT.COM> <10125@ucsd.Edu> Organization: GenBank Online Service Lines: 34 I've got several comments on the proposed extensions. First, there exists an authentication group within the IETF which deals with authentication issues, headed up by Jeff Schiller, I believe. We should probably be talking to him as to what type of hooks should be left in. Also, my understanding is that there either has been or will be shortly a decree that says that no protocol may move beyond ``proposed standard'' unless the security issues have been addressed. So the hooks should be there. It would also be nice if a simple demonstration of those hooks were included in an implementation, but that brings up oodles of arguments about expectations, etc... When you write the spec, it should be OK (and possibly recommended) for a server to always return a 200 level code, regardless of whether the user passed the challenge. That way, you don't have someone hacking passwords, or other fun stuff. This would probably also have at least the feel of the KISS (keep it simple, stupid). Also, there should be no reason why HOSTS couldn't authenticate themselves in this system. Speaking of response codes, as long as you're doing a new version, care to bring the response codes in line with SMTP, FTP, etc? I realize this could be messy for code trying to deal with both implementations, but if you were to fix this stuff, you'd probably want to run on another port. For example, how about 5xx you blew it, as opposed to a temporary error (if you should even want to do such a thing). 'best, -- Eliot Lear [lear@net.bio.net]