Cyrus POP3 Issue

Rob Siemborski rjs3 at
Fri Mar 11 17:51:28 EST 2005

On Fri, 11 Mar 2005, Marco Colombo wrote:

> Ok technically speaking SSL/TLS is not part of SASL. But the two are
> related. Maybe I'm biased by the fact that most of the connections I see
> are SSL+plaintext. So I was referring to SSL keys actually.

Sure, or, say, kerberos keys.

For what SASL is using it for, its a far lesser sin.

> I have to say I'm not familiar with CRAM-MD5/DIGEST-MD5. But in the latter
> the channel can be encrypted, so I guess at some point a shared session
> key is generated.

Yes, there is a session key here, but the information it is 
based off of is the nonces (as I said, they need to be sent in the clear 
anyway, so coming from urandom doesn't matter that much), the shared 
secret, and some static text.

See RFC 2831.


Rob Siemborski

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list