ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

[Andrew Gierth]

>>>>> "Lawrence" == Lawrence Greenfield <leg+ at andrew.cmu.edu> writes:

 Lawrence> I would instead propose that the working group have a MUST
 Lawrence> implement TLS

not ever going to happen in practice.

Very few users are interested in TLS for actually securing the _data_,
and therefore they aren't interested in paying the costs involved in
providing it. Therefore it is likely that people will stick to using
plaintext passwords and AUTHINFO USER/PASS (which is not going to go
away anytime soon, if ever).

The other reason to not rely on TLS is because currently, even with
SASL, the authentication exchange can be mostly kept separate from the
rest of the protocol. A sensible high-volume server design will even
implement it via a pass-through to a separate authentication server
rather than clutter up the mainline code. Bear in mind that
authentication itself is a not-inconsiderable load at a large site,
where it is not uncommon to have to deal with 50-100 connects/sec.
Furthermore, because clients often do set up and tear down connections
fairly quickly, the authentication process must not involve an excessive
number of round-trips.

-- 
Andrew.