ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Andrew Gierth andrew at
Mon Dec 9 18:39:24 PST 2002

>>>>> "Rob" == Rob Siemborski <rjs3 at> writes:

 > On Mon, 9 Dec 2002, Andrew Gierth wrote:
 >> This obviously isn't possible using mechanisms like DIGEST-MD5,
 >> CRAM-MD5 or SRP, because all of those are based around the client
 >> _proving knowledge of the password_ rather than actually _sending_
 >> the password. If the server does not have access to stored
 >> passwords, but only has access to a separate authentication
 >> mechanism that uses a _different_ protocol, then there is no way
 >> for the server to provide any of these methods.

 Rob> So, basically what you're saying is you want a SASL mechanism
 Rob> that negotiates TLS (or similar) for the duration of the SASL
 Rob> mechanism, and then does a PLAIN exchange underneath?

or pretty much any mechanism that works by encrypting the password
rather than generating digests from it.

 Rob> In general your problem is solved by putting TLS around the
 Rob> whole session, of course (but you already said that won't work
 Rob> for you).

encrypting whole sessions is a bit of an issue when you're doing serious
traffic volumes (think gigabits).


More information about the ietf-nntp mailing list