ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)
Lawrence Greenfield
leg+ at andrew.cmu.edu
Thu Dec 19 13:53:03 PST 2002
From: Russ Allbery <rra at stanford.edu>
Date: Thu, 19 Dec 2002 13:46:14 -0800
[...]
Thankfully, that's not how SASL is generally implemented. Most software
using SASL is using the Cyrus SASL library and therefore doesn't implement
the individual mechanisms separately. Adding a new mechanism is as simple
as just building against a new version of the Cyrus SASL library and
adding a minimal amount of glue.
I don't think that's how "most" software is implemented. Many open source
servers do make use of the Cyrus SASL framework, but there are many
many clients out there that implement SASL (one or more SASL
mechanisms) without using our library.
For instance, Outlook Express implements SASL for SMTP AUTH, Sun
implements SASL for LDAP in Java, etc.
I question whether the cost of designing and deploying a new SASL
mechanism is worth the savings over using TLS, especially as a MUST
implement mechanism.
I would instead propose that the working group have a MUST implement
TLS and PLAIN requirement, and sites that have specific performance
requirements can specify a different SASL mechanism that they will
share with their customers. (Remember, must implement is not the same
as must use.) For sites that use a SASL framework like Cyrus SASL,
adding a new mechanism is trivial. For others, it will be somewhat
harder.
Larry
More information about the ietf-nntp
mailing list