[Imap-uw] sasl secuity-layer support
Mark Crispin
MRC at CAC.Washington.EDU
Mon Feb 6 17:02:11 PST 2006
On Fri, 3 Feb 2006, Mark Sirota wrote:
>> I could count the number of times I've been asked about supporting SASL
>> security layers in UW imapd on one hand...and still have some fingers
>> left!
> Penn will happy take another finger. :-)
Could you explain why SASL security layers are so important to Penn?
Don't you have to offer SSL/TLS anyway, due to all the clients that don't
have Kerberos? Don't your Kerberos clients now do SSL/TLS, and then
authenticate using Kerberos?
As far as I can tell, the main benefit to using SASL security layers
(instead of SSL/TLS) is to eliminate the overhead of SSL/TLS key
generations, and possibly also an RTT, in the initial session connection.
Otherwise, far more sites are going to have SSL/TLS than Kerberos (or
DIGEST-MD5, the other SASL mechanism which IIRC has security layers).
Am I missing something?
I agree that, conceptually, SASL security layers is the cleanest way to do
things, but SSL/TLS seems to be the direction most people choose.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
More information about the Imap-uw
mailing list