ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Jeffrey M. Vinocur jeff at
Mon Dec 9 19:29:08 PST 2002

On Mon, 9 Dec 2002, Ken Murchison wrote:

> Andrew Gierth wrote:
> > 
> > >>>>> "Rob" == Rob Siemborski <rjs3 at> writes:
> > 
> >  Rob> So, basically what you're saying is you want a SASL mechanism
> >  Rob> that negotiates TLS (or similar) for the duration of the SASL
> >  Rob> mechanism, and then does a PLAIN exchange underneath?
> > 
> > or pretty much any mechanism that works by encrypting the password
> > rather than generating digests from it.
> > 
> >  Rob> In general your problem is solved by putting TLS around the
> >  Rob> whole session, of course (but you already said that won't work
> >  Rob> for you).
> > 
> > encrypting whole sessions is a bit of an issue when you're doing serious
> > traffic volumes (think gigabits).
> So, are you talking about server-server authentication, or a high volume
> of client connections?

Clients, I expect he means.  Keep in mind that the commercial usenet 
services sell accounts generally up to 50 gigabytes per month (this is 
for a single user).

The reason DIGEST-MD5 is no good, though, is that many ISPs outsource 
their usenet needs to one of the commercial servers; the server needs to 
be able to authenticate users by proxy to the appropriate ISP.

(Fundamentally, it would be better for this not to involve trusting the 
news server with the password.  But in practice, right now, that's how it 
needs to be.)

Jeffrey M. Vinocur
jeff at

More information about the ietf-nntp mailing list