Subject: Re: rfc2228 in ftpd
To: Aidan Cully <>
From: Ken Hornstein <>
List: tech-security
Date: 06/24/2002 00:09:23
>SSL is (surprisingly enough) like the web.  It's not designed for the
>uses to which it's been put.  Wake me when SSL can do a reasonable job
>of authentication, and isn't just for encryption.  You might have
>convinced me if you said "SASL" instead of SSL, but SASL doesn't deal
>well with FTP's concept of separate command and data connections.

RFC 2228 clearly predates SASL; I think the authors would have used SASL
if it existed.  How you encrypt/integrity protect the data channel is,
of course, an interesting question ... the simplest method would be to do
a second, complete authentication exchange over the data channel.