[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: user-specified SASL mechanisms



Hallvard B Furuseth wrote:
authmeth-09 says:

3.3.5. Rules for using SASL security layers

  Because SASL mechanisms provide critical security functions, clients
  and servers should allow the user to specify what mechanisms are
  acceptable and allow only those mechanisms to be used.

By itself, I think this is bad advice, because most users know very little about security. I suppose many clients will have to ask their users, but preferably they should also explain the implications of what they allow the user to select.

Hmm, maybe the term "user" should be made more clear. At first glance one understands non-technical end-users sitting in front of their workstation. But you could also think of a user being a site administrator choosing the acceptable SASL mechanism(s) for a centrally configured LDAP client. Therefore the client and the server should allow the "user" to specify an acceptable SASL mechanism.


Ciao, Michael.