[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

Quanah Gibson-Mount wrote:
> --On Monday, October 29, 2007 10:57 PM +0000 hyc@symas.com wrote:
>> You don't. That would open you up to a downgrade attack.

> So I think the point of the ITS remains.  It's difficult to do what they
> wanted to do.  And really, sometimes all you care is that the connection is
> encrypted at a particular base level based on the type of encryption being
> done.  Which is how it was at Stanford.  Which apparently we don't support
> using the security directive.  Which is why my acl's had sasl_ssf=56 all
> over them.

Your point and the original ITS are quite different. In your case, you want to 
require a different SSF based on the underlying mechanism. That is foolish as 
far as security policy goes; any attacker will simply ignore the stronger 
defense and focus on breaking the weaker one. As the original poster stated, 
security is only as strong as the weakest link.

Stay focused on the original ITS topic.
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/