[jdev] Re: [Psi-devel] Some login/sasl questions for 0.11
Dave Cridland
dave at cridland.net
Mon Feb 5 08:06:45 CST 2007
On Mon Feb 5 01:01:13 2007, Matthias Wimmer wrote:
> Sorry I already deleted the posting I am replying.
>
> Concerning the question if establishing a SASL encryption layer
> should be supported inside a connection, that is already protected
> by a TLS layer:
This interested me, so I discussed this with the SASL guys in the
office, and the result, as I understand it is as follows.
Basically, what you're discussing is related to Channel Binding -
there's a lot of work going on in that area in the IETF at the
moment, including an updated DIGEST-MD5 which does channel binding.
There's other mechanisms under development which will also use
channel binding. This basically ensures that both ends of the
authentication have the same idea of the encrypted channel used.
Now, if you use SASL security layers in addition to TLS, then this
does negate the need for channel binding, but it also negates the
need for TLS to a large degree. So for a server, you want SASL
security layers, and ignore TLS.
Since SASL security layers are weaker, often, and also have certain
undesirable properties, such as transmitting the userid and authid in
the clear, though, you want to be using TLS as a client.
Does this help?
I thought not. :-)
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the JDev
mailing list