ietf-nntp Re: WG Review: Simple Authentication and Security Layer (sasl)

Jeffrey M. Vinocur jeff at
Sun Dec 29 19:37:48 PST 2002

On Fri, 20 Dec 2002, Rob Siemborski wrote:

> On Fri, 20 Dec 2002, Jeffrey M. Vinocur wrote:
> > It may be lack of publicity about available libraries, or difficulty
> > calling the library from their application, or inappropriate licensing of
> > the library, or any number of other things.  I don't claim to have any
> > idea what the reason is.  But if Larry's statement is accurate, something
> > is *broken* and needs to be pursued in whatever fashion is appropriate.
> This is an implementation issue that has nothing to do with the
> protocol-level standardization of AUTHINFO SASL.  The presence or lack of
> a library to actually implement the mechanisms is orthogonal to obtaining
> consensus on how AUTHINFO SASL should look on the wire.

True.  But it's *not* orthogonal to deciding about the 
mandatory-to-implement mechanism.  The reason we started talking about 
this, as I recall, is from discussing the cost (to client authors) of 
adding a new mechanism (the DSS-like one) after they had already released 
code supporting AUTHINFO SASL.

I don't have a feel for how many client authors are implementing these 
mechanisms themselves rather than using a library, and I think that's 
important information in the above decision.

(Additionally, it seems to me that if the answer to the above is anything
besides "only the ones not programming in C", then there's some underlying
issue that somebody on the SASL side of things ought to look at.  Maybe
that's none of my business, but I still can make the observation I was in 
the first paragraph quoted above.)

> This is just like saying TLS is broken because not everybody uses OpenSSL
> to implement it.

No, it's like saying something is (potentially) broken about OpenSSL.  
(How many client authors implement TLS themselves?  And why?)

> I don't think there is a very strong argument against using TLS/PLAIN
> for this purpose (given that this WG seems to be insistent that the
> servers receive copies of the plaintext passwords, 

We're still waiting for details from SASL people about the possibility of 
down-negotiation to plaintext after authentication.  I'd say that makes a 

Jeffrey M. Vinocur
jeff at

More information about the ietf-nntp mailing list