Subject: Re: rfc2228 in ftpd
To: Aidan Cully <email@example.com>
From: Ken Hornstein <firstname.lastname@example.org>
Date: 06/24/2002 00:09:23
>SSL is (surprisingly enough) like the web. It's not designed for the
>uses to which it's been put. Wake me when SSL can do a reasonable job
>of authentication, and isn't just for encryption. You might have
>convinced me if you said "SASL" instead of SSL, but SASL doesn't deal
>well with FTP's concept of separate command and data connections.
RFC 2228 clearly predates SASL; I think the authors would have used SASL
if it existed. How you encrypt/integrity protect the data channel is,
of course, an interesting question ... the simplest method would be to do
a second, complete authentication exchange over the data channel.