Harald Tveit Alvestrand wrote:
>
> Protocols that offer increased complexity but no gain in security or
> efficiency over other standards-track efforts, but are in use today, are
> IMHO excellent candidates for Informational publication.
>
> Not for the standards track.
>
I'll go further. THIS ENTIRE PROTOCOL DUPLICATES OTHER STANDARDS TRACK
EFFORTS. I see no reason why it should rise above Experimental and
Informational.
We already have authentication and encryption at link layer (PPP),
network layer (IPSec), transport layer (TLS), and session layer
(SecSHell). Why do we need application layer security, too?
If this were "just" authentication, just as new authentication modes
have been added to protocols (POP3, SMTP) that already have some form of
authentication, it might be useful. But, Telnet has no extant
authentication that is being improved. This is a whole new set of
features, including encryption (not mentioned in the announcement).
Why bother?
Moreover, there is no _required_ option that must be implemented. One
of the most important interoperability design principles is violated.
Finally, the protocol itself seems insecure and subject to denial of
service and monkey in the middle attacks. It's a bad idea.
[EMAIL PROTECTED]
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
