[JDEV] Re: SASL, deployment and coding

David Waite mass at akuma.org
Tue Feb 4 19:05:22 CST 2003

Matthew Beacher wrote:

> David Waite wrote:
>> I do not want to use transport encryption, because
>> 1) it does not provide any solid security because of existing 
>> non-encrypted connections, and because you cannot guarantee trust of 
>> the remote endpoint across hops (in real-world terms, "a friend of a 
>> friend of a friend once told me about this guy" should not have the 
>> same amount of trust as actually knowing the person being talked 
>> about directly.)
>> 2) it is impractical for many embedded applications.
>> 3) it puts unneccessary load on the server
>> -David Waite
>  The use of Transport Encryption is not up to the server, if a 
> Transport Encryption is negoshiated during SASL, you must use it, if 
> it is nigoshiated. This is according to cyrus SASL docs. 

I don't believe I said otherwise.

-David Waite

More information about the JDev mailing list