ietf-nntp Re: WG Review: Simple Authentication and SecurityLayer (sasl)

Ken Murchison ken at
Fri Dec 20 06:58:24 PST 2002

"Jeffrey M. Vinocur" wrote:
> On Thu, 19 Dec 2002, Russ Allbery wrote:
> > Lawrence Greenfield <leg+ at> writes:
> >
> > > I don't think that's how "most" software is implemented. Many open
> > > source servers do make use of the Cyrus SASL framework, but there are
> > > many many clients out there that implement SASL (one or more SASL
> > > mechanisms) without using our library.
> >
> > Okay, yes, that's a valid point.
> Indeed.
> On the other hand, I'd hope that the client authors will find it
> appropriate to implement whatever mechanisms the corresponding servers
> commonly provide.
> > > I question whether the cost of designing and deploying a new SASL
> > > mechanism is worth the savings over using TLS, especially as a MUST
> > > implement mechanism.
> Well, for NNTP, I'd say it is.  In particular, we will never be able to
> eliminate plaintext authentication from the universe until we have
> something like that DSS draft.
> And is it just me, or isn't the entire point of SASL that the client and
> server authors only have to implement the profile, and then they get any
> future mechanisms for free?  If this isn't what actually happens in the
> real world, then it says to me that something needs to be fixed.

With a good implementation such as Cyrus SASL, you DO get any new
mechanisms for free.  I can add/subtract mechanisms from my Cyrus
IMAP/NNTP/POP3/LMTP server all day long without recompiling.

Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--

More information about the ietf-nntp mailing list