Cyrus POP3 Issue
marco at esi.it
Fri Mar 11 05:33:18 EST 2005
Rob Siemborski wrote:
> SASL doesn't generate *keys* using this, it generates *nonces*, which
> are known to the attacker anyway, since they are transmitted in the
> clear anyway. It just matters that they don't repeat often enough to
> bother precomputing values for.
> If SASL was using this for key generation, then yes, most of the
> comments in this thread have merit.
Ok technically speaking SSL/TLS is not part of SASL. But the two are
related. Maybe I'm biased by the fact that most of the connections I see
are SSL+plaintext. So I was referring to SSL keys actually.
I have to say I'm not familiar with CRAM-MD5/DIGEST-MD5. But in the latter
the channel can be encrypted, so I guess at some point a shared session
key is generated.
> (Hmmm, its possible that the SRP plugin is using this for something
> else, I'm not familiar enough with SRP and would have to ask Ken).
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo at ESI.it
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus