SASL always returns ssf=56 for GSSAPI

Nicolas Williams Nicolas.Williams at
Thu Sep 21 18:44:58 EDT 2006

BTW, the whole concept of absolute security strength factors is broken.

After all, the relative strengths of ciphers, hashes, MACs, assymertic
cryptographic algorithms (RSA, DH, etc...) and cryptographic protocols
built on them are variable over time.  And some constructions can be
much stronger than the individual components used to build them.

IMO the right way to design an API for expressing and enforcing policy
relating to the strength of cryptographic systems used, and in the face
of pluggable frameworks, is to provide for rules-based profiles that
applications and libraries refer to by name, and which mechanisms simply

Then administrators can write profiles that express the policies that
they want.


More information about the Cyrus-sasl mailing list