From owner-freebsd-security Sat Sep 23 14: 4: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (207-167-15-66.dsl.worldgate.ca [207.167.15.66]) by hub.freebsd.org (Postfix) with ESMTP id 4128C37B422 for ; Sat, 23 Sep 2000 14:04:04 -0700 (PDT) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e8NL43121256 for ; Sat, 23 Sep 2000 15:04:03 -0600 (MDT) Message-Id: <200009232104.e8NL43121256@orthanc.ab.ca> To: freebsd-security@freebsd.org Subject: Importing SASL to the base system Organization: The Frobozz Magic Homing Pigeon Company Date: Sat, 23 Sep 2000 15:04:03 -0600 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since we're talking about increasing security, I think it's time to consider importing SASL functionality into the base OS. SASL is already widely used in IMAP, and its use is increasing in POP3 and SMTP/LMTP. The following protocols currently support SASL authentication: RFC2060 IMAP4 Rev 1 RFC2229 A Dictionary Server Protocol RFC2244 ACAP -- Application Configuration Access Protocol RFC2251 LDAP v3 RFC2449 POP3 Extensions RFC2554 SMTP Service Extension for Authentication RFC2645 On-Demand Mail Relay RFC2829 Authentication Methods for LDAP (also RFC2830 and RFC2831) In addition, SASL is proposed for the following protocols and services: Internet Messaging and Calendaring, BEEP, PPP, SIEVE, Secure remote password change, FTP, and others I've forgotten. With the IETF requiring secure authentication (when authentication is applicable) in future protocols, the use of SASL will only increase. The use of SASL in email right now is (I think) sufficient justification to import it. We should be able to ship MTAs that support SASL out-of- the-box. We can't do that right now as the base tools can't rely on a port. Sendmail could use this immediately if it was in the base. The CMU SASL code has proved to be stable, and is a candidate for inclusion, although it would certainly need a work-over before being imported. And we would need a good architecture/design plan before doing anything. I'm willing to do the work to make this happen if there is a committer who would volunteer to work with me on this. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message