--On Monday, February 6, 2006 5:02 PM -0800 Mark Crispin
<[EMAIL PROTECTED]> wrote:
Could you explain why SASL security layers are so important to Penn?
Don't you have to offer SSL/TLS anyway, due to all the clients that
don't have Kerberos? Don't your Kerberos clients now do SSL/TLS, and
then authenticate using Kerberos?
As far as I can tell, the main benefit to using SASL security layers
(instead of SSL/TLS) is to eliminate the overhead of SSL/TLS key
generations, and possibly also an RTT, in the initial session
connection. Otherwise, far more sites are going to have SSL/TLS than
Kerberos (or DIGEST-MD5, the other SASL mechanism which IIRC has
security layers).
Am I missing something?
I agree that, conceptually, SASL security layers is the cleanest way to
do things, but SSL/TLS seems to be the direction most people choose.
You're right, of course, Penn would also have to continue to support
TLS/SSL in addition to SASL/GSS/Kerberos, because we have almost no
control over the choice of IMAP client, and there are a great many that
people like that don't support SASL at all (never mind security layers).
Those are not our recommended clients or configurations, but that doesn't
stop people from using them. We hope for a future where that's not true,
of course.
However, the majority (rapidly becoming the vast majority) of our users
choose to use our webmail service, which is an IMAP client over which we
have complete control. So while incomplete in the near term, we'd still
get a pretty big win.
As for "the direction people choose", yes, client vendors seem to choose
this, and sometimes users choose clients from those vendors. However, I
think most server administrators would choose SASL security layers over
TLS/SSL, if given the choice -- no certificates to manage (including
things like the revocation problem), and better performance at scale.
I don't buy into the argument that server administrators should be forced
to accept the worst case. We can begrudgingly accept the worst case, and
work to minimize its occurrence.
In addition, we try to take a long-term view and stay on the high road
when it comes to doing things The Right Way. Call me old school (I've
been doing this Internet e-mail thing for 21 years), but for me and my
organization this has actual value. If we can help facilitate better
solutions for all, by contributing code, pressuring vendors, etc. to do
the right thing, the world will be a better place.
Mark
--
Mark Sirota, Associate Director, Network Engineering and Services
University of Pennsylvania, Information Systems and Computing
[EMAIL PROTECTED], 215/573-7214
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
