Cyrus POP3 Issue
Rob Siemborski
rjs3 at andrew.cmu.edu
Fri Mar 11 17:51:28 EST 2005
On Fri, 11 Mar 2005, Marco Colombo wrote:
> Ok technically speaking SSL/TLS is not part of SASL. But the two are
> related. Maybe I'm biased by the fact that most of the connections I see
> are SSL+plaintext. So I was referring to SSL keys actually.
Sure, or, say, kerberos keys.
For what SASL is using it for, its a far lesser sin.
> I have to say I'm not familiar with CRAM-MD5/DIGEST-MD5. But in the latter
> the channel can be encrypted, so I guess at some point a shared session
> key is generated.
Yes, there is a session key here, but the information it is
based off of is the nonces (as I said, they need to be sent in the clear
anyway, so coming from urandom doesn't matter that much), the shared
secret, and some static text.
See RFC 2831.
-Rob
---------------------------------------------------------------------
Rob Siemborski
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list