SASL always returns ssf=56 for GSSAPI

Nicolas Williams Nicolas.Williams at
Thu Sep 21 19:02:51 EDT 2006

On Fri, Sep 22, 2006 at 12:53:42AM +0200, Hai Zaar wrote:
> On 9/22/06, Nicolas Williams <Nicolas.Williams at> wrote:
> >BTW, the whole concept of absolute security strength factors is broken.
> >
> >After all, the relative strengths of ciphers, hashes, MACs, assymertic
> >cryptographic algorithms (RSA, DH, etc...) and cryptographic protocols
> >built on them are variable over time.  And some constructions can be
> >much stronger than the individual components used to build them.
> >
> >IMO the right way to design an API for expressing and enforcing policy
> >relating to the strength of cryptographic systems used, and in the face
> >of pluggable frameworks, is to provide for rules-based profiles that
> >applications and libraries refer to by name, and which mechanisms simply
> >evaluate.
> >
> >Then administrators can write profiles that express the policies that
> >they want.
> This is a very interesting point.
> You probably should point this out at SASL ietf mailing list:

Maybe.  I've already made this point somewhere in IETF meetings or
mailing lists.  When I get the time I may even write an Internet-Draft
about this.

More information about the Cyrus-sasl mailing list