>>>>> "Terry" == Terry Lambert <[EMAIL PROTECTED]> writes:
Terry> Personally, I think SASL should have specified that you
Terry> crypt(3) the passwords, and then use the resulting hash as
Terry> the password value for the shared secret on both ends. At
Terry> least that way, you would not have to pass cleartext to use
Terry> the UNIX account database.
The problem with this is that if you serve up your password database via
NIS an attacker can grab the crypt()ed password and use it to perform a
forged authentication.
Note that in the next revision of the IMAP4 spec STARTTLS will
be mandatory to implement.
--lyndon
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
