From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4766D0B2.8030008@authentrus.com> Date: Mon, 17 Dec 2007 14:40:34 -0500 From: Wes Kussmaul User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: Re: [9fans] upas/smtpd password authentication References: <20071216180213.32FA61E8C5C@holo.morphisms.net> <1a579fc66314c00596b0b6f99acf5fc8@quanstro.net> <20071217165431.GG603@csail.mit.edu> In-Reply-To: <20071217165431.GG603@csail.mit.edu> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: quoted-printable Topicbox-Message-UUID: 1bced46a-ead3-11e9-9d60-3106f5b1d025 ***off list*** Jonathan, I've been bringing these issues up over the years with the Plan 9 crowd.=20 I think the real response is that the Plan 9 culture is all about=20 collegial groups and not about what I call Rocinha, the wider world=20 where bad things happen if you don't guard against them. Wes Kussmaul Jonathan D. Proulx wrote: > On Sun, Dec 16, 2007 at 06:16:06PM -0500, erik quanstrom wrote: > > :i'm not a security expert. what case that i can't currently see > :would tls solve for me that's worth the extra configuration. > :what am i missing? > > It will prevent the username:password pair from being easily > snpooped. Minimally this would compromise email, which as you say is > inherantly insecure, but howmany of your users have the same username > password pair for other things too (like the plan9 passowrd you wish > to protect). > > It this seconday case that is more dangerous, you can blame the users > for overloading their credentials and mixing "secure" and "insecure" > usages, but they will blame you if their email password is also their > bank passowrd. > > Atleast those are the things I worry about with my users... > > -Jon > > =20 --=20 Wes Kussmaul CIO The Village Group 738 Main Street Waltham, MA 02451 781-647-7178 The information contained in this electronic message and any attachments = to this message are intended for the exclusive use of the addressee(s) an= d may contain confidential or privileged information. If you are not the = intended recipient, please notify attorney Mort Hapless at Vulner, Expose= d & Wideopen LLP immediately at either (781) 647-7178, or at ohoh@vulex.c= om, and destroy all copies of this message and any attachments. No, reall= y. Really. Listen, we mean it! Hey, if you don=92t stop reading that conf= idential stuff about our client you=92re in big trouble. OK, we=92re the = ones in trouble but we=92ll find a way to go after you, or at least we th= ink we may be able to. Look, we=92re begging you. Just click the delete b= utton and move on to a message that concerns you, OK? Please?? We'll buy = you lunch... Identity is the Foundation of Security=99. Let Authentrus (authentrus.com= ) ensure that only intended recipients receive your confidential messages= .