[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: draft minutes from Chicago meeting
Surely making TLS mandatory to implement as a SASL authentication mechanism
implies that if this is all the server supports then all human clients
wishing to be strongly authenticated must have a certificate (and private
key) which, although maybe a future expectation, certainly isn't the case
today.
I suspect that most human clients today would be happy with an encrypted
password technique like CRAM-MD5 to provide strong authentication. This
could be combined with an encrypted, but not client authenticated, TLS
session if full data confidentiality and integrity is required. Therefore,
I would suggest that CRAM-MD5 (or its equivalent) is a more realistic SASL
mechanism to mandate in real-world terms.
Phil Pinkerton, ICL