[Dovecot] [patch] gssapi support

[Colin Walters]

On Tue, 2004-07-13 at 01:02 +0200, Jonas Smedegaard wrote:
> Colin Walters wrote:
> > On Mon, 2004-07-12 at 19:04 +0300, Timo Sirainen wrote:
> 
> >>Anyway, Postfix didn't do integrity protection with Cyrus library either
> >>even though it supported it. 
> > 
> > 
> > Hm, that's too bad.  Kerberos support isn't useful to me unless it does
> > integrity, since otherwise you need SSL, and I'm trying to avoid using
> > SSL.
> 
> Why? Is SSL bad in some way?

SSL isn't bad.  The situation is this: I am setting up a new server
(email/web,etc) for myself, a few friends, and my dad.  The first time I
did this, I created my own CA, and used my own certificates for imap and
smtp, because I didn't want to pay a thousand dollars (i.e. about as
much as my hardware cost) to Verisign.  The major problem I ran into was
getting my dad and some of my friend's Windows machines to trust my CA.
It involved a lot of complexity with this "mmc" program.  Not to mention
my dad has multiple machines, one of them at his office that I didn't
have access to.  The rest of my friends use Linux as I do, but even
there configuring different applications to trust a certificate isn't
easy.

Kerberos seems rather ideal for this situation instead of certificates,
since it doesn't require any client-side configuration or information
except their password.  So I'm working on using Kerberos this second
time around.  

As Ray pointed out Kerberos and SSL aren't exclusive, but normally when
people say "SSL" they mean the certificate-based mechanisms.

There are other reasons to use Kerberos instead of SSL too:

http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbvsssl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040713/cea11e0e/attachment-0001.bin>