From: SMTP%"brian@UCSD.EDU" 12-APR-1991 14:24:16.67 To: JMS@CARAT.ARIZONA.EDU CC: Subj: Re: NNTP auth Date: Fri, 12 Apr 91 14:23:16 -0700 From: brian@UCSD.EDU (Brian Kantor) Message-Id: <9104122123.AA26853@ucsd.edu> To: JMS@CARAT.ARIZONA.EDU Subject: Re: NNTP auth The NNTP authorization scheme is supposed to be site dependent. The version that's in the current code is really only for simple host authentication, to prevent users from telnetting into nntp ports and forging articles. Enclosed below is a first draft of a suggested specification that is being considered by the IETF NNTP working group. It may help a bit in understanding what the issues are, and how you can use them. - Brian Network Working Group Brian Kantor Request for Comments: P-DRAFT Univ. of Calif San Diego August 1990 NNTP Enhancements Status of this Memo This is a preliminary draft of revisions to the NNTP. While no major revisions are expected, it would perhaps be wise to defer making significant investments in time implementing these specs until more review has taken place. Clarifications of points inadequately discussed in RFC977 It is important to note that while the NNTP is similar to the electronic mail transport standard for SMTP, it does not operate in the same environment. NNTP connections imply the existence of some degree of prearrangement: newsfeeds are set up by cooperating sites. Therefore, many of the negotiations which might be implied by a general-access protocol such as SMTP are not required in the NNTP since they will be arranged ahead of time by the managers of the systems involved. RFC977 does not fully specify which header lines are required by the POST command when an article is submitted from a client. This is intentional, as the NNTP server does not in fact perform the posting operation itself, but merely provides transport of the article to be posted to the news software that does the actual posting. Thus which header lines must be included before an article can be posted via NNTP is dependent upon the news posting software at the server. Typically, some of the header lines that are required for transport of a posted article between systems would NOT be required for a proto-article that is being submitted via the POST command, as the news posting software will supply them. It is suggested that those header lines which are used by persons reading the articles (as opposed to transport headers) and which are likely to contain user-specific information should probably be supplied within the proto-article by the NNTP posting client, as that is most likely the point at which that information is known. Within the context of the Usenet news RFC [currently RFC1036], which headers are supplied by the user agent that composed the proto- article and which are supplied by the posting software itself is a Kantor FORMFEED[Page 1] RFC DRAFT August 1990 program interface issue and does not seem to be addressed, as the RFC covers only article transport. However, in a more global sense, there should be some specification of the interface to the news posting software. Articles submitted for XFER must be complete articles with all RFC1036 header fields. Implementation matters A definition of newsgroup matching should be issued to supplement the Usenet news RFC since it's not clear either from that spec nor this one just what is meant by 'matching' newsgroup specifications. There are many commands for which the response from the server would be useful to the person running the nntp client, in particular the messages returned from authentication, access, and posting commands. Implementors should seriously consider that some of these should be written to the user's screen. Changes Date and time now use ISO 3307 format, but for backward compatability the prior MMDDYY HHMMSS format may still be accepted. Dates and times are always in GMT. The default character set for NNTP commands and responses is NETASCII, but within the structure of textual transmissions, the 7- bit limitation does not apply whenever the underlying transmission medium can support 8-bit data. Thus articles containing 8-bit data must be transferred without the high-order bit of octets being set to zero whenever possible. Several new commands have been added to allow for authentication and access control, as well as some transfer options and a new SEARCH command to provide for super-whiz-bang news retrieval systems. XHDR becomes a subset of the optional HEADER command; for backwards compatability a server can handle both. Restrictions on the contents of the 4th field of data returned by the LIST command are deleted. Kantor FORMFEED[Page 2] RFC DRAFT August 1990 New commands: OPTION {DO | NO} option [parameters] used to request that an