[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SMTP AUTH design-team meeting addendum

To: ietf-sasl@xxxxxxx
Subject: SMTP AUTH design-team meeting addendum
From: John Gardiner Myers <jgmyers@xxxxxxxxxxxx>
Date: Fri, 04 Sep 1998 17:41:39 -0700
Sender: owner-ietf-sasl@xxxxxxx

One point brought up at the meeting that I neglected to mention:

The desire for reactive authentication appears to come from a site
policy that relay requires authentication for clients connecting from
external networks, but is allowed without authentication for clients
connecting from internal networks.

The SMTP AUTH spec should mention the principle that servers SHOULD NOT
advertise the existence of mechanisms whose use provide no benefit to
either client or server.  For example, consider a server which
implements CRAM-MD5 authentication, and has the policy that clients
connecting from certain networks have authorization which is not
affected by authentication.  Since CRAM-MD5 does not implement a
security layer, it does not itself provide a benefit to the client.  If
the policy for a given client is such that CRAM-MD5 authentication does
not affect the client's authorization, then the server should not
advertise the CRAM-MD5 mechanism to that particular client.

Follow-Ups:
- Re: SMTP AUTH design-team meeting addendum
  - From: Chris Newman

Prev by Date: Re: authmeth-02 && (Digest | CRAM-MD5)?
Next by Date: Re: SMTP AUTH design-team meeting addendum
Previous by thread: authmeth-02 && (Digest | CRAM-MD5)?
Next by thread: Re: SMTP AUTH design-team meeting addendum
Index(es):
- Date
- Thread