[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

quanah@zimbra.com wrote:
> --On Monday, October 29, 2007 8:13 PM +0000 hyc@symas.com wrote:
>> You really need to read more carefully. If you only care about the
>> overall  SSF, regardless of whether it's from TLS or SASL, then just use
>> the "ssf" factor. --
> Nice, in theory, but I think my example was bad.  So let's rehash.
> When I was at Stanford, the SASL SSF max was 56, because of the DES keys.
> The TLS SSF was 128.  So how would I indicate that I want EITHER a SASL SSF
> of 56 or a TLS SSF of 128 using the security directive?

You don't. That would open you up to a downgrade attack.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/