ietf-nntp Re: WG Review: Simple Authentication and Security
Layer (sasl)
Jeffrey M. Vinocur
jeff at litech.org
Mon Dec 9 19:29:08 PST 2002
On Mon, 9 Dec 2002, Ken Murchison wrote:
> Andrew Gierth wrote:
> >
> > >>>>> "Rob" == Rob Siemborski <rjs3 at andrew.cmu.edu> writes:
> >
> > Rob> So, basically what you're saying is you want a SASL mechanism
> > Rob> that negotiates TLS (or similar) for the duration of the SASL
> > Rob> mechanism, and then does a PLAIN exchange underneath?
> >
> > or pretty much any mechanism that works by encrypting the password
> > rather than generating digests from it.
> >
> > Rob> In general your problem is solved by putting TLS around the
> > Rob> whole session, of course (but you already said that won't work
> > Rob> for you).
> >
> > encrypting whole sessions is a bit of an issue when you're doing serious
> > traffic volumes (think gigabits).
>
> So, are you talking about server-server authentication, or a high volume
> of client connections?
Clients, I expect he means. Keep in mind that the commercial usenet
services sell accounts generally up to 50 gigabytes per month (this is
for a single user).
The reason DIGEST-MD5 is no good, though, is that many ISPs outsource
their usenet needs to one of the commercial servers; the server needs to
be able to authenticate users by proxy to the appropriate ISP.
(Fundamentally, it would be better for this not to involve trusting the
news server with the password. But in practice, right now, that's how it
needs to be.)
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the ietf-nntp
mailing list