Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!rex!news.arc.nasa.gov!haven.umd.edu!umd5!stjohns From: stjohns@umd5.umd.edu (Mike St. Johns) Newsgroups: comp.protocols.tcp-ip Subject: Re: RFC 931 "Not Recommended" (Re: Authenticated SMTP, anyone done one?) Message-ID: Date: 17 Jun 91 00:55:11 GMT References: <1991Jun3.163841.4114@bwdls61.bnr.ca> <17169:Jun1122:04:5791@kramden.acf.nyu.edu> <1991Jun14.142800.27168@Daisy.EE.UND.AC.ZA> <6201.Jun1504.10.2091@kramden.acf.nyu.edu> Sender: news@umd5.umd.edu Organization: UofMaryland, College Park Lines: 55 In-reply-to: brnstnd@kramden.acf.nyu.edu's message of 15 Jun 91 04:10:20 GMT In article <6201.Jun1504.10.2091@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: In article <1991Jun14.142800.27168@Daisy.EE.UND.AC.ZA> barrett@Daisy.EE.UND.AC.ZA (Alan P Barrett) writes: > I could find only two references to authentication protocols in RFC1200, > and both are marked "Experimental" and "Not Recommended". Why? Basically, because they haven't been widely enough field-tested. (This requirement rarely applies to the pet protocols of established IETFers; it does make some sense that Party babies should get ahead... :-) ) Speaking as both the author of RFC931 and a charter member of the IETF... AND as a member of the Security Area Advisory Group of the IETF... I wrote RFC931 as an experiment and an exercise in writing an RFC back in the days when there weren't as many being published. The functionality of RFC931 was very limited and in any case has been subsumed by two other very good protocols - KERBEROS and SNMP. Kerberos provides a much better authentication mechanism while SNMP provides the mechanism for retrieving general data from a host. Admittedly, SNMP does not have the MIB variables written to extract 931 data, but the mechanism is there. Given a choice, I'd rather have someone write an experimental MIB covering user data than implement 931. As soon as some vendor adopts any RFC 931 code, I'll submit my revision of the RFC and propose that it advance in status. If you have a revision, submit it now as an internet draft - send it to Steve Crocker - Security Area Directory for the IETF (crocker@tis.com). Almost anything can enter the standards track - RFC931 could enter today as a Proposed Standard - no experience with the protocol is necessare for this step. > How seriously should people take the suggestion that experimental > protocols should not be implemented without coordination with their > developers? Answer 1: You mean someone takes that seriously? Uh-oh. Please take this seriously - its given us great benefits in the past. Instead of 5 virtually identical but non-interoperable transport protocols (ala OSI) we have 2, each with a distinct category of service. Its gratifying to see that someone actually reads the old RFC's, and I appreciate all the work Dan has put into his implementation, but if I could put a stake through the heart of 931, I would do it - its just too limited. Mike