ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

[Russ Allbery]

Charles Lindsey <chl at clw.cs.man.ac.uk> writes:
> Ken Murchison <ken at oceana.com> writes:

>> I agree that a SASL mech which encrypts only the plaintext password is
>> desirable.

> Then someone needs to sit down and define one. To break Russ' circle.

Yes, that was the conclusion that I think we reached after about the
fourth message on this thread, and the rest of the thread has mostly been
us trying to explain it to you.  :)

> No, AUTHINFO SASL is not implemented in typical NNTP servers yet, so
> implementors are going to have to do some work. If we define the
> necessary SASL encrypted password at the same time, then they will just
> implement it as part of the package. If we try to add it later they
> won't bother ("why didn't you tell me that was needed the first time
> round?").

Thankfully, that's not how SASL is generally implemented.  Most software
using SASL is using the Cyrus SASL library and therefore doesn't implement
the individual mechanisms separately.  Adding a new mechanism is as simple
as just building against a new version of the Cyrus SASL library and
adding a minimal amount of glue.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>