ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Jeffrey M. Vinocur jeff at litech.org
Thu Dec 19 15:22:55 PST 2002 

On Thu, 19 Dec 2002, Russ Allbery wrote:

> Lawrence Greenfield <leg+ at andrew.cmu.edu> writes:
> 
> > I don't think that's how "most" software is implemented. Many open
> > source servers do make use of the Cyrus SASL framework, but there are
> > many many clients out there that implement SASL (one or more SASL
> > mechanisms) without using our library.
> 
> Okay, yes, that's a valid point.

Indeed.

On the other hand, I'd hope that the client authors will find it 
appropriate to implement whatever mechanisms the corresponding servers 
commonly provide.


> > I question whether the cost of designing and deploying a new SASL
> > mechanism is worth the savings over using TLS, especially as a MUST
> > implement mechanism.

Well, for NNTP, I'd say it is.  In particular, we will never be able to
eliminate plaintext authentication from the universe until we have
something like that DSS draft.

And is it just me, or isn't the entire point of SASL that the client and
server authors only have to implement the profile, and then they get any
future mechanisms for free?  If this isn't what actually happens in the 
real world, then it says to me that something needs to be fixed.

Note also that it's not like the NNTP profile is going to be standardized
next week; if it's as important as you say that the mechanism we discuss
above be standardized *before* the profile, then we'll just have to make
that happen in the intervening interval.


> Both TLS and SASL (and indeed any authentication whatsoever) are entirely
> optional in NNTP, so I'm not sure what the scope of your "MUST" is here.
> 
> I don't think that news servers should be required to implement TLS, even
> if they support authentication.  TLS is a lot of additional complexity and
> is quite a lot of overhead for the typical news application.

Agreed.  There are, though, some issues I have on my internal todo-list
regarding what things-that-are-required we have and how they should be
determined, but those can definitely wait until after we get a draft out.  
(My vision here is that all our debate, of which there can be as much as
people want, happen in the form of iterated publish/discuss/revise, rather
than while we're in the amorphous current state.  So if possible, just 
make notes of what you want to discuss later, and we'll happily discuss 
until exhaustion -- but after there's something concrete to discuss.  
Sound like a plan?)

-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list