[Date Prev][Date Next]
Re: authmeth: user-specified SASL mechanisms
Hallvard B Furuseth wrote:
3.3.5. Rules for using SASL security layers
Because SASL mechanisms provide critical security functions, clients
and servers should allow the user to specify what mechanisms are
acceptable and allow only those mechanisms to be used.
By itself, I think this is bad advice, because most users know very
little about security. I suppose many clients will have to ask
their users, but preferably they should also explain the
implications of what they allow the user to select.
Hmm, maybe the term "user" should be made more clear. At first glance one
understands non-technical end-users sitting in front of their workstation.
But you could also think of a user being a site administrator choosing the
acceptable SASL mechanism(s) for a centrally configured LDAP client.
Therefore the client and the server should allow the "user" to specify an
acceptable SASL mechanism.