[Dev] Client/server authentication

[Ken Hornstein]

Since this is obviously early in Chandler's development process, I
think it might make sense to talk about security a bit (because in my
experience, adding security to an application after it's finished is
always painful).

The thing I'm really interested in at this point is securing the link
between the client & server for POP/IMAP/SMTP.  I know, this seems rather
boring at this stage ... but I think this is an area lacking in a number
of email applications out there today (but this is slowly changing).

I know many people will think that using SSL for the above protocols is
sufficient ... I'd prefer to not get in a debate about security
technologies, but let me just say that SSL isn't sufficient for our
needs.  I think it would be useful for Chandler to support SASL as well
as SSL for the email protocols, since you can use a variety of
different security mechanisms depending on your site's infrastructure.
What to do about security within Jabber is of course a larger question,
but I figure it's worth tackling the small problem before you get to
the big one :-)

I have some experience adding SASL support to various programs, if this
is any help to the project.

(I will confess that my secret goal is to make sure Chandler has reasonable
Kerberos support, that's why I'm promoting SASL).

--Ken