[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL, TLS and SSLv3

> On  1 Dec, patl@phoenix.volant.org wrote:
> > It is my understanding that SASL is not an issue since it involves
> > only authentication, not encryption.
> > 
> Quote from rfc2222 (Simple Authentication and Security Layer):
>  During the authentication protocol exchange, the mechanism performs
>    authentication, transmits an authorization identity (frequently known
>    as a userid) from the client to server, and negotiates the use of a
>    mechanism-specific security layer.  If the use of a security layer is
>    agreed upon, then the mechanism must also define or negotiate the
>    maximum cipher-text buffer size that each side is able to receive.

Right.  But the basic SASL mechanism does not have to include support
for specificly negotiating encryption of the protocol stream.  At the
most basic, it would only support cleartext userid/password checking.
And there is a level in between where it could use cryptographic techniques
for authentication only, without encrypting the following protocol stream.

It is my understanding that the US government has no restrictions on
crypto technology which is used -only- for authentication.  (E.g.,
digital signatures.)