ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)
Charles Lindsey
chl at clw.cs.man.ac.uk
Tue Dec 10 06:23:57 PST 2002
In <3DF543E7.15FD9034 at oceana.com> Ken Murchison <ken at oceana.com> writes:
>Yes, this is a well known problem with infrastrctures which are based
>around a plaintext methodology. I guess your alternatives are to switch
>to something like Kereberos or try resurrecting Newman's DSS effort (or
>something similar) ietf-sasl. If the WG likes the idea, I'll volunteer
>to write the plugin for CMU SASL.
Then why are we basing anything around a plaintext methodology? My
ignorance of SASL is profound, but I had always assumed that it
incorporated a mechanism whereby the server could confirm that the client
knew a secret without actually passing that secret in plaintext. Surely
that is the fundamental problem. How the server associates (its version
of) the secret with the client is a separate issue. Maybe it stores it
itself (it should know who its paying customers are) or maybe it
outsources it, but why should NNTP care about that part of it?
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp
mailing list