[Dovecot] [patch] gssapi support
Ray Miller
ray at sysdev.oucs.ox.ac.uk
Tue Jul 13 11:11:11 EEST 2004
On Tue, Jul 13, 2004 at 01:02:14AM +0200, Jonas Smedegaard wrote:
> >Hm, that's too bad. Kerberos support isn't useful to me unless it does
> >integrity, since otherwise you need SSL, and I'm trying to avoid using
> >SSL.
>
> Why? Is SSL bad in some way?
At the very least, it adds complexity, and an overhead in the
public-key cryptography.
Kerberos already provides mutual authentication and, as a side effect
of the authentication, a session key. If you're going to use SSL as
well, the SSL session key needs to be negotiated separately. RFC 2712
(Addition of Kerberos Cipher Suites to Transport Layer Security)
attemtps to address these issues, but I'm not sure how widely this is
implemented.
--
Ray Miller, Unix Systems Programmer & Team Leader
Systems Development & Support, Computing Services, University of Oxford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040713/26591bfd/attachment-0001.bin>
More information about the dovecot
mailing list