>>The question is whether or not it is safe to exempt localhost connections. >>Since localhost does not go out over the wire and hence is internal to the >>local system, it arguably is not within the IETF domain to declare compliance
>I'd rather turn the ball(?) around, and ask - why can't the localhost >client use TLS or SSL like everyone else? I guess the obvious argument >is that it wastes cycles and does not provide more security. >But is it worth the effort to make an exception in the protocol here? Yes, it is. In particular, when the "localhost" connection is over a non-IP transport (e.g. a UNIX named socket). This is an implementation issue, and not something the IETF needs to address. Regardless, using a named socket for local connections, thus bypassing the local IP network stack, can (and does) give dramatic increases in the throughput of the local connection. (This increase in throughput was the motivation for the named socket transport patches to sendmail -- we were able to increase our message delivery rate by a factor of 20 on some UNIX platforms.) --lyndon
