>SSL is (surprisingly enough) like the web.  It's not designed for the
>uses to which it's been put.  Wake me when SSL can do a reasonable job
>of authentication, and isn't just for encryption.  You might have
>convinced me if you said "SASL" instead of SSL, but SASL doesn't deal
>well with FTP's concept of separate command and data connections.

RFC 2228 clearly predates SASL; I think the authors would have used SASL
if it existed.  How you encrypt/integrity protect the data channel is,
of course, an interesting question ... the simplest method would be to do
a second, complete authentication exchange over the data channel.

--Ken