[jdev] Re: [Psi-devel] Some login/sasl questions for 0.11

Matthias Wimmer m at tthias.eu
Mon Feb 5 08:46:01 CST 2007 

Hi Dave!

Dave Cridland schrieb:
>> Concerning the question if establishing a SASL encryption layer should 
>> be supported inside a connection, that is already protected by a TLS 
>> layer:
> 
> This interested me, so I discussed this with the SASL guys in the 
> office, and the result, as I understand it is as follows.
> 
> Basically, what you're discussing is related to Channel Binding - 
> there's a lot of work going on in that area in the IETF at the moment, 
> including an updated DIGEST-MD5 which does channel binding. There's 
> other mechanisms under development which will also use channel binding. 
> This basically ensures that both ends of the authentication have the 
> same idea of the encrypted channel used.

Right.

> Now, if you use SASL security layers in addition to TLS, then this does 
> negate the need for channel binding, but it also negates the need for 
> TLS to a large degree. So for a server, you want SASL security layers, 
> and ignore TLS.
> 
> Since SASL security layers are weaker, often, and also have certain 
> undesirable properties, such as transmitting the userid and authid in 
> the clear, though, you want to be using TLS as a client.

On the server side I also cannot just not offer TLS and only offer a 
security layer in SASL. If I would do so, I would not allow the client 
to authenticate using TLS - which is the probably strongest way we 
currently have for client authentication and ensuring an encrypting layer.

I think if a server does not care that there is a security layer to the 
client (current standard case), the connection should not use a SASL 
security layer inside the TLS layer. But this shouldn't be the client 
that decides that this SASL layer is not established, but the server.
Therefore I think that Psi should establish the auth-conf layer of 
DIGEST-MD5 if that is offered by the server - but servers typically 
should not offer this layer if TLS has already been established - as it 
is the server for which it matters if that second security layer exists 
or not.


Matthias

-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the JDev mailing list