ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

[Rob Siemborski]

On Fri, 20 Dec 2002, Ken Murchison wrote:

> Maybe its just me, but you seem to be projecting your particular
> implementation and its pros/cons on the entire community.  I'm sure that
> there are plenty of ISPs that can successfully provide secure
> authentication without the *NEED* for a DSS-type mechanism.  As I've
> stated before, I can definitely see a fit for such a mechanism, but you
> make it sound like nothing can be done without it.

Additionally, since both the DSS SASL mechanism and TLS require the
expense of a public key operation to setup, and once the overhead of that
is done with the continued expense of encrypting the traffic isn't that
high, I don't think you are saving much by avoiding the relative
simplicity of TLS/PLAIN.

I mean, is it really worth the expense of the public key operation if
you're just going to encrypt the 5-10 bytes of the password?  If it is,
its probably worth it to just buy a TLS accelerator card, encrypt the
whole connection, and be done with it.

I am also of the opinion that this is a special-case requirement, and
shouldn't hold up the draft, though perhaps this does affect NNTP worse
than other protocols due to the common ways it is deployed.  Like Ken
said, I suspect that if a new mechanism is desired, than it will need to
be developed by those who want it (this group).

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski | Andrew Systems Group * Research Systems Programmer
PGP:0x5CE32FCC | Cyert Hall 207 * rjs3 at andrew.cmu.edu * 412.268.7456
-----BEGIN GEEK CODE BLOCK----
Version: 3.12
GCS/IT/CM/PA d- s+: a-- C++++$ ULS++++$ P+++$ L+++(++++) E W+ N o? K-
w O- M-- V-- PS+ PE++ Y+ PGP+ t+@ 5+++ R@ tv-@ b+ DI+++ G e h r- y?
------END GEEK CODE BLOCK-----