[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth: user-specified SASL mechanisms

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: authmeth: user-specified SASL mechanisms
From: Michael Ströder <michael@stroeder.com>
Date: Sun, 04 Jan 2004 12:24:25 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20040103kzco@bombur.uio.no>
References: <HBF.20040103kzco@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Hallvard B Furuseth wrote:

authmeth-09 says:

3.3.5. Rules for using SASL security layers

  Because SASL mechanisms provide critical security functions, clients
  and servers should allow the user to specify what mechanisms are
  acceptable and allow only those mechanisms to be used.


By itself, I think this is bad advice, because most users know very
little about security.  I suppose many clients will have to ask
their users, but preferably they should also explain the
implications of what they allow the user to select.

Hmm, maybe the term "user" should be made more clear. At first glance one understands non-technical end-users sitting in front of their workstation. But you could also think of a user being a site administrator choosing the acceptable SASL mechanism(s) for a centrally configured LDAP client. Therefore the client and the server should allow the "user" to specify an acceptable SASL mechanism.

Ciao, Michael.

References:
- authmeth: user-specified SASL mechanisms
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: protocol: unrecognized protocolOp tag
Next by Date: RE: authmeth-09 comments
Index(es):
- Chronological
- Thread