ietf-nntp Re: WG Review: Simple Authentication and Security
Layer (sasl)
Ken Murchison
ken at oceana.com
Mon Dec 9 19:19:26 PST 2002
Andrew Gierth wrote:
>
> >>>>> "Rob" == Rob Siemborski <rjs3 at andrew.cmu.edu> writes:
>
> > On Mon, 9 Dec 2002, Andrew Gierth wrote:
> >> This obviously isn't possible using mechanisms like DIGEST-MD5,
> >> CRAM-MD5 or SRP, because all of those are based around the client
> >> _proving knowledge of the password_ rather than actually _sending_
> >> the password. If the server does not have access to stored
> >> passwords, but only has access to a separate authentication
> >> mechanism that uses a _different_ protocol, then there is no way
> >> for the server to provide any of these methods.
>
> Rob> So, basically what you're saying is you want a SASL mechanism
> Rob> that negotiates TLS (or similar) for the duration of the SASL
> Rob> mechanism, and then does a PLAIN exchange underneath?
>
> or pretty much any mechanism that works by encrypting the password
> rather than generating digests from it.
>
> Rob> In general your problem is solved by putting TLS around the
> Rob> whole session, of course (but you already said that won't work
> Rob> for you).
>
> encrypting whole sessions is a bit of an issue when you're doing serious
> traffic volumes (think gigabits).
So, are you talking about server-server authentication, or a high volume
of client connections?
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list