|
> > >>> Michael Ströder <michael@stroeder.com> 1/4/2004 4:24:25 AM >>> > Hallvard B Furuseth wrote: > > authmeth-09 says: > > >>3.3.5. Rules for using SASL security layers > > >> Because SASL mechanisms provide critical security functions, clients > >> and servers should allow the user to specify what mechanisms are > >> acceptable and allow only those mechanisms to be used. > > > By itself, I think this is bad advice, because most users know very > little about security. I suppose many clients will have to ask > their users, but preferably they should also explain the > implications of what they allow the user to select. > > Hmm, maybe the term "user" should be made more clear. At first glance one > understands non-technical end-users sitting in front of their workstation. > But you could also think of a user being a site administrator choosing the > acceptable SASL mechanism(s) for a centrally configured LDAP client. > Therefore the client and the server should allow the "user" to specify an > acceptable SASL mechanism. > > Ciao, Michael. How about this wording:
Because SASL mechanisms provide critical security functions, clients and servers should be configurable to specify what mechanisms are acceptable and allow only those mechanisms to be used. Roger
|