Subject: Re: rfc2228 in ftpd
To: Steven M. Bellovin <>
From: Perry E. Metzger <>
List: tech-userlevel
Date: 06/23/2002 23:04:16
"Steven M. Bellovin" <> writes:
> In message <>, "Perry E. Metzger" writes:
> >I'm not sure I was even aware of that RFC before now. Are we sure the
> >IETF still considers it to be a standards track document? I'd also
> >suggest that the matter be discussed on tech-security -- tech-userlevel
> >is not the right list...
> It's still listed as "Proposed Standard" in the index.

Yah, but it has never gotten past Proposed to Draft, and I'm unaware
of implementations.  At the time it was written, the world was very
different, and rolling (mostly) your own security transport was
common. Now everyone Just Uses SSL. The question in my mind is, given
the utter lack of implementations, do we want something where we've
got a whole new protocol with potential holes, or do we Just Use SSL
so we can piggy back on its properties?

Steve, you're a Security AD. What's your opinion?

Perry E. Metzger
NetBSD: The right OS for your embedded design.