ietf-nntp Re: WG Review: Simple Authentication and Security
Layer (sasl)
Russ Allbery
rra at stanford.edu
Thu Dec 19 13:46:14 PST 2002
Charles Lindsey <chl at clw.cs.man.ac.uk> writes:
> Ken Murchison <ken at oceana.com> writes:
>> I agree that a SASL mech which encrypts only the plaintext password is
>> desirable.
> Then someone needs to sit down and define one. To break Russ' circle.
Yes, that was the conclusion that I think we reached after about the
fourth message on this thread, and the rest of the thread has mostly been
us trying to explain it to you. :)
> No, AUTHINFO SASL is not implemented in typical NNTP servers yet, so
> implementors are going to have to do some work. If we define the
> necessary SASL encrypted password at the same time, then they will just
> implement it as part of the package. If we try to add it later they
> won't bother ("why didn't you tell me that was needed the first time
> round?").
Thankfully, that's not how SASL is generally implemented. Most software
using SASL is using the Cyrus SASL library and therefore doesn't implement
the individual mechanisms separately. Adding a new mechanism is as simple
as just building against a new version of the Cyrus SASL library and
adding a minimal amount of glue.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list