ietf-nntp Re: WG Review: Simple Authentication and Security
rra at stanford.edu
Thu Dec 19 14:04:56 PST 2002
Lawrence Greenfield <leg+ at andrew.cmu.edu> writes:
> I don't think that's how "most" software is implemented. Many open
> source servers do make use of the Cyrus SASL framework, but there are
> many many clients out there that implement SASL (one or more SASL
> mechanisms) without using our library.
Okay, yes, that's a valid point.
> I question whether the cost of designing and deploying a new SASL
> mechanism is worth the savings over using TLS, especially as a MUST
> implement mechanism.
> I would instead propose that the working group have a MUST implement TLS
> and PLAIN requirement, and sites that have specific performance
> requirements can specify a different SASL mechanism that they will share
> with their customers.
Both TLS and SASL (and indeed any authentication whatsoever) are entirely
optional in NNTP, so I'm not sure what the scope of your "MUST" is here.
I don't think that news servers should be required to implement TLS, even
if they support authentication. TLS is a lot of additional complexity and
is quite a lot of overhead for the typical news application.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp