Cyrus POP3 Issue

Marco Colombo marco at esi.it
Mon Mar 14 12:50:04 EST 2005


Rob Siemborski wrote:
> On Mon, 14 Mar 2005, Marco Colombo wrote:
> 
>> Now, can you claim conformance to RFC 2831 if you're using /dev/urandom?
>> Does the fact that your cyrus server is heavily used fall under those
>> "particular circumstances"? Or is it normal operations, instead?
>> What are the "valid reasons" you found not to use /dev/random, in your
>> _particular_ case?
> 
> 
> That the server will basicly fail to function if /dev/random is blocks 
> indefinately?
> 
> If a site feels they need more entropy, they can always use /dev/random 
> (or any other source of entropy).  We originally had that as a default 
> configuration, but in a large number of deployments, it caused more 
> problems than it solved.

I understand that. I've replied only because you mentioned RFC 2831.

I'm not happy to hear there is a 'large number of deployments' where
RFC 2831 recommandation is violated. The admins of those site should
consider either getting more resources (entropy, in this case) or stop
running any strong but demanding SASL mechanism (or SSL/TLS). Once
again, by definition, "a large number" does not mix well with the
"particular circumstances" mentioned in the RFC.

The problem of those site was not our default configuration. Their problem
is that they're using a solution they can't afford. Running out of entropy
should raise a flag to them, and make them switch to less demanding mechs,
or consider an upgrade.

What's the point in using any strong auth mech in a way that violates
its RFC recommandations? Moreover, is it ok for any software having a
_default_ configuration that acts against some RFCs?

Now we have a large number of sites that runs a stripped-down version of
DIGEST-MD5 that RFC 2831 _barely_ allows. I just think they should be
made aware of the implications _before_ they do. Let their servers block,
let them learn why, let them ponder on implications, and let them make a
decision. Be it not using strong mechs, or getting a decent source of
entropy, or using /dev/urandom I dont' care. Just let them hit the
problem and decide.

Having said that, now I'll let this thread die, I promise. :-)

.TM.
-- 
       ____/  ____/   /
      /      /       /			Marco Colombo
     ___/  ___  /   /		      Technical Manager
    /          /   /			 ESI s.r.l.
  _____/ _____/  _/		       Colombo at ESI.it

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list