ietf-nntp Re: WG Review: Simple Authentication and SecurityLayer
(sasl)
Ken Murchison
ken at oceana.com
Fri Dec 20 06:58:24 PST 2002
"Jeffrey M. Vinocur" wrote:
>
> On Thu, 19 Dec 2002, Russ Allbery wrote:
>
> > Lawrence Greenfield <leg+ at andrew.cmu.edu> writes:
> >
> > > I don't think that's how "most" software is implemented. Many open
> > > source servers do make use of the Cyrus SASL framework, but there are
> > > many many clients out there that implement SASL (one or more SASL
> > > mechanisms) without using our library.
> >
> > Okay, yes, that's a valid point.
>
> Indeed.
>
> On the other hand, I'd hope that the client authors will find it
> appropriate to implement whatever mechanisms the corresponding servers
> commonly provide.
>
> > > I question whether the cost of designing and deploying a new SASL
> > > mechanism is worth the savings over using TLS, especially as a MUST
> > > implement mechanism.
>
> Well, for NNTP, I'd say it is. In particular, we will never be able to
> eliminate plaintext authentication from the universe until we have
> something like that DSS draft.
>
> And is it just me, or isn't the entire point of SASL that the client and
> server authors only have to implement the profile, and then they get any
> future mechanisms for free? If this isn't what actually happens in the
> real world, then it says to me that something needs to be fixed.
With a good implementation such as Cyrus SASL, you DO get any new
mechanisms for free. I can add/subtract mechanisms from my Cyrus
IMAP/NNTP/POP3/LMTP server all day long without recompiling.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list