ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)
andrew at erlenstar.demon.co.uk
Mon Dec 9 18:39:24 PST 2002
>>>>> "Rob" == Rob Siemborski <rjs3 at andrew.cmu.edu> writes:
> On Mon, 9 Dec 2002, Andrew Gierth wrote:
>> This obviously isn't possible using mechanisms like DIGEST-MD5,
>> CRAM-MD5 or SRP, because all of those are based around the client
>> _proving knowledge of the password_ rather than actually _sending_
>> the password. If the server does not have access to stored
>> passwords, but only has access to a separate authentication
>> mechanism that uses a _different_ protocol, then there is no way
>> for the server to provide any of these methods.
Rob> So, basically what you're saying is you want a SASL mechanism
Rob> that negotiates TLS (or similar) for the duration of the SASL
Rob> mechanism, and then does a PLAIN exchange underneath?
or pretty much any mechanism that works by encrypting the password
rather than generating digests from it.
Rob> In general your problem is solved by putting TLS around the
Rob> whole session, of course (but you already said that won't work
Rob> for you).
encrypting whole sessions is a bit of an issue when you're doing serious
traffic volumes (think gigabits).
More information about the ietf-nntp