Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!sun-barr!rutgers!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Authenticated SMTP, anyone done one?
Message-ID: <5535.Jun1503.59.5791@kramden.acf.nyu.edu>
Date: 15 Jun 91 03:59:57 GMT
References: <43225@cup.portal.com> <1991Jun13.222559.7574@bronze.ucs.indiana.edu> <1991Jun14.053704.1059@solbourne.com>
Organization: IR
Lines: 24

In article <1991Jun14.053704.1059@solbourne.com> imp@solbourne.com (Warner Losh) writes:
> In article <1991Jun13.222559.7574@bronze.ucs.indiana.edu> hughes@logos.ucs.indiana.edu (larry hughes) writes:
> >[PEM's] use is strictly voluntary, and unless both sender and recipient
> >implement it, it's not very useful.
> So is RFC 931.  RFC 931 is on more hosts than PEM.  There are a LARGE
> number of hosts that don't use RFC 931.

Sure, but the beauty of a link-level security protocol is that you can
add it in bits and pieces. If you add RFC 931 support at just one mail
exchanger, you've suddenly made every message through that exchanger a
bit more secure. If a year from now someone's message happens to wend
its way through several RFC 931 sites, forgeries are suddenly that much
more difficult.

It would help if more vendors supported RFC 931. I've offered my
implementation (as well as the sendmail and talk patches) to Sun and
Berkeley, but they don't seem to understand how it's better than
Kerberos. (Two answers: immediate availability of a simple, working
implementation; wide-area network support.) I'd love to help people add
RFC 931 support to their programs; I'm happy to report that the new ftpd
release from Chris Myers will include RFC 931 authentication as an
option.

---Dan