On Nov 2, 2006, at 12:26 PM, Richard Troy wrote:
Well, there's simply no need. While I can agree that more could be
done,
I'm not convinced there's a need because what we have now works
fine. Let
me support my view by stating first that I perceive that combining the
conception of encrypting a communications channel with user
authentication
to be a very poor choice. I gather from the paragraph above that
this is a
forgone conclusion. Apologies if I'm mistaken.
Understand that I'm talking about *real* security here. There are
standard protocols and libraries that support real security: SASL
and GSSAPI in particular. You may for various reasons decide that
it's "too hard" to do real security. Most people don't, including
most people who use SSL. I'm not saying that's *wrong*, just that
some possible attack methods have not been prevented.
At the level of detail that's appropriate for this list, all I can do
is repeat myself.
Part of establishing a secure connection is establishing that the end
points are the intended ones and there is no Man In the Middle.
Establishing the end points means the server has identified the user
within the name space of the security mechanism.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at
http://www.postgresql.org/about/donate