--On Wednesday, 12 May, 2010 16:04 -0700 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org> wrote:
...
In this case, the IETF should say "Use something more secure."
The proposed enhancement combines multiple host's credentials
to avoid transparent techniques that could offer network
isolation as well. Your concern would be valid when there is
also a commensurate effort at improving security.
Unfortunately, the opposite is true.
Doug,
Let's separate two issues. One is whether or not this
particular proposal, with or without RFC 4217 (an existing
Proposed Standard), is appropriate. If it is not, or cannot
exist in harmony with 4217, then it reinforces my view that it
should not be put on the Standards Track without a more
comprehensive examination in the context of existing FTP work
and proposals.
The other is whether we should proceed with any FTP work at all.
Especially in the context of 4217 (you were aware of that when
you wrote your comments, weren't you), I find your remarks
completely unpersuasive. One could reasonably argue that it is
time to establish a SASL binding for FTP (maybe it is; a WG
could figure that out), but I think it is hard to argue that FTP
generally is any worse from an authentication, authorization, or
privacy standpoint than any other protocol that we've protected
by running it over an encrypted tunnel. YMMD, of course.
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf