[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-hansen-pop3-xtndext-00.txt



>< I believe this is out of scope for the GRIP WG.
>
>Well, consider this paragraph from draft-ietf-grip-isp-04.txt. (This comes
>after a discussion of the SMTP SUBMIT port and the use of SMTP AUTH.)
>
>    The (undocumented) XTND XMIT POP3 extension which allows clients to send
>    mail through the POP3 session rather than using SMTP may also be
>    considered.  It also provides a way to support mobile users at sites
>    where open relaying is disabled, and has the benefit of an authenticated
>    connection and a better audit trail.
>
>Given that this topic came up within the grip-wg's discussions and it's
>being mentioned in the grip's major document, it seems to be within scope
>for discussion in grip-wg. The pop3 extensions themselves are outside of the
>scope of grip-wg, hence the lack of "grip" in the document filename.

The way the draft-ietf-grip-isp-04.txt is written makes it necessary to 
discuss these kind of technical detail. My problem with this approach is,
that we focus on specific technics and we have had the discussion about
specific benefits in comparison to others while all we want to say is
that the sending of mail should be allowed only after strong authentication.
Using some examples is okay then to make it more understandable, but advising
to use specific technics is difficult, because then we have to change the RFC
after new and better mechanisms are developed. 

I would be in favour to handle such topics more from a global perspective.

>< I consider the SMTP AUTH extension to be a superior solution to the
>< problem in all ways -- it requires fewer code changes, is more flexible
>< and secure, and results in an architecture with better functional
>< separation. See draft-myers-smtp-auth-09.txt.  That solution also works
>< for IMAP as well as POP with far less complexity.
>
>Nobody is disagreeing with SMTP AUTH being a better solution. Some of us
>just felt that anything which is being mentioned in a BCP should be
>documented somewhere, rather than being left described as "(undocumented)".

So if nobody is disagreeing with SMTP AUTH to be the better solution, what
the trouble with the POP extensions, just skip them and prepare the
pop3-xtndext
anyway for documenting purposes?

Best regards,
	Peter

--
Klaus-Peter Kossakowski / Hamburg / kpk@work.de