SASL always returns ssf=56 for GSSAPI

Alexey Melnikov alexey.melnikov at isode.com
Fri Sep 22 05:52:46 EDT 2006


Nicolas Williams wrote:

>BTW, the whole concept of absolute security strength factors is broken.
>
>After all, the relative strengths of ciphers, hashes, MACs, assymertic
>cryptographic algorithms (RSA, DH, etc...) and cryptographic protocols
>built on them are variable over time.  And some constructions can be
>much stronger than the individual components used to build them.
>  
>
Good point.

>IMO the right way to design an API for expressing and enforcing policy
>relating to the strength of cryptographic systems used, and in the face
>of pluggable frameworks, is to provide for rules-based profiles that
>applications and libraries refer to by name, and which mechanisms simply
>evaluate.
>
>Then administrators can write profiles that express the policies that
>they want.
>  
>
This sounds fascinating, but extremely complex. Most administrators 
wouldn't really care.
How would this look like?



More information about the Cyrus-sasl mailing list