From owner-freebsd-hackers Sat Jun 22 10:29:47 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [216.123.203.186]) by hub.freebsd.org (Postfix) with ESMTP id 9503837B400 for ; Sat, 22 Jun 2002 10:29:44 -0700 (PDT) Received: from orthanc.ab.ca (localhost.orthanc.ab.ca [127.0.0.1]) by orthanc.ab.ca (8.12.3/8.12.3) with ESMTP id g5MHTeJZ082215; Sat, 22 Jun 2002 11:29:40 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200206221729.g5MHTeJZ082215@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Terry Lambert Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Cyrus vs. UW IMAP (was: Re: I Volunteer) In-reply-to: Your message of "Sat, 22 Jun 2002 01:17:52 PDT." <3D1432B0.58F863B5@mindspring.com> X-Mailer: mh-e 5.0.92; MH 6.8.4; Emacs 21.2 Date: Sat, 22 Jun 2002 11:29:40 -0600 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >>>>> "Terry" == Terry Lambert writes: Terry> Personally, I think SASL should have specified that you Terry> crypt(3) the passwords, and then use the resulting hash as Terry> the password value for the shared secret on both ends. At Terry> least that way, you would not have to pass cleartext to use Terry> the UNIX account database. The problem with this is that if you serve up your password database via NIS an attacker can grab the crypt()ed password and use it to perform a forged authentication. Note that in the next revision of the IMAP4 spec STARTTLS will be mandatory to implement. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message