On Tue, 2004-07-13 at 01:02 +0200, Jonas Smedegaard wrote:
Colin Walters wrote:
On Mon, 2004-07-12 at 19:04 +0300, Timo Sirainen wrote:
Anyway, Postfix didn't do integrity protection with Cyrus library either even though it supported it.
Hm, that's too bad. Kerberos support isn't useful to me unless it does integrity, since otherwise you need SSL, and I'm trying to avoid using SSL.
Why? Is SSL bad in some way?
SSL isn't bad. The situation is this: I am setting up a new server (email/web,etc) for myself, a few friends, and my dad. The first time I did this, I created my own CA, and used my own certificates for imap and smtp, because I didn't want to pay a thousand dollars (i.e. about as much as my hardware cost) to Verisign. The major problem I ran into was getting my dad and some of my friend's Windows machines to trust my CA. It involved a lot of complexity with this "mmc" program. Not to mention my dad has multiple machines, one of them at his office that I didn't have access to. The rest of my friends use Linux as I do, but even there configuring different applications to trust a certificate isn't easy.
Kerberos seems rather ideal for this situation instead of certificates, since it doesn't require any client-side configuration or information except their password. So I'm working on using Kerberos this second time around.
As Ray pointed out Kerberos and SSL aren't exclusive, but normally when people say "SSL" they mean the certificate-based mechanisms.
There are other reasons to use Kerberos instead of SSL too:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbvsssl