[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5195) ssf not available during sasl bind
From: hyc@symas.com
Date: Mon, 29 Oct 2007 22:57:54 GMT

quanah@zimbra.com wrote:
> --On Monday, October 29, 2007 8:13 PM +0000 hyc@symas.com wrote:
>> You really need to read more carefully. If you only care about the
>> overall  SSF, regardless of whether it's from TLS or SASL, then just use
>> the "ssf" factor. --
> 
> Nice, in theory, but I think my example was bad.  So let's rehash.
> 
> When I was at Stanford, the SASL SSF max was 56, because of the DES keys.
> The TLS SSF was 128.  So how would I indicate that I want EITHER a SASL SSF
> of 56 or a TLS SSF of 128 using the security directive?

You don't. That would open you up to a downgrade attack.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Prev by Date: Re: (ITS#5195) ssf not available during sasl bind
Next by Date: Re: (ITS#5195) ssf not available during sasl bind
Index(es):
- Chronological
- Thread