[Imap-uw] sasl secuity-layer support
MRC at CAC.Washington.EDU
Mon Feb 6 19:43:42 PST 2006
Hi Mark, comments interspersed below.
On Mon, 6 Feb 2006, Mark Sirota wrote:
> However, I
> think most server administrators would choose SASL security layers over
> TLS/SSL, if given the choice -- no certificates to manage (including
> things like the revocation problem), and better performance at scale.
I don't understand how this can be an either/or. TLS/SSL seems to be a
given for the foreseeable future. Thus, the question is whether or not
SASL security layers should also exist as an "and".
The benefits to SASL security layers (at least that I am aware of) are:
. possible savings of an RTT
. savings of SSL/TLS key generation overhead on the server.
The disadvantages that I see are:
. greater complexity -- more security-critical code (and worse, code that
is not often tested/exercised)
. limited client implementation (chicken & egg problem)
. limited overall deployment. DIGEST-MD5 has real problems, and Kerberos
remains uncommon. Very few people use the Kerberos code now.
> I don't buy into the argument that server administrators should be forced
> to accept the worst case. We can begrudgingly accept the worst case, and
> work to minimize its occurrence.
Why do you feel that SSL/TLS for session integrity, and Kerberos for
authentication, is a "worst case"?
My intent isn't to be argumentative; I'd really like to be convinced
because my own arguments in favor of doing SASL security layers failed to
> In addition, we try to take a long-term view and stay on the high road
> when it comes to doing things The Right Way. Call me old school (I've
> been doing this Internet e-mail thing for 21 years), but for me and my
> organization this has actual value.
I've been doing this Internet e-mail thing from back when it was ARPAnet
(before Internet). 32 years, as I calculate it. So I guess that I'm old
I'd like to hear a convincing argument why it's important to bundle
session integrity with authentication, and why this is better than using
SSL/TLS for session integrity and Kerberos etc. for authentication. Note
that SSL/TLS has client certificates (& the EXTERNAL SASL authenticator),
but that doesn't seem to have progressed very far either.
-- Mark --
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
More information about the Imap-uw