ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Russ Allbery rra at
Thu Dec 19 14:04:56 PST 2002

Lawrence Greenfield <leg+ at> writes:

> I don't think that's how "most" software is implemented. Many open
> source servers do make use of the Cyrus SASL framework, but there are
> many many clients out there that implement SASL (one or more SASL
> mechanisms) without using our library.

Okay, yes, that's a valid point.

> I question whether the cost of designing and deploying a new SASL
> mechanism is worth the savings over using TLS, especially as a MUST
> implement mechanism.

> I would instead propose that the working group have a MUST implement TLS
> and PLAIN requirement, and sites that have specific performance
> requirements can specify a different SASL mechanism that they will share
> with their customers.

Both TLS and SASL (and indeed any authentication whatsoever) are entirely
optional in NNTP, so I'm not sure what the scope of your "MUST" is here.

I don't think that news servers should be required to implement TLS, even
if they support authentication.  TLS is a lot of additional complexity and
is quite a lot of overhead for the typical news application.

Russ Allbery (rra at             <>

More information about the ietf-nntp mailing list