Cyrus POP3 Issue

Marco Colombo marco at
Fri Mar 11 05:33:18 EST 2005

Rob Siemborski wrote:
> SASL doesn't generate *keys* using this, it generates *nonces*, which 
> are known to the attacker anyway, since they are transmitted in the 
> clear anyway.  It just matters that they don't repeat often enough to 
> bother precomputing values for.
> If SASL was using this for key generation, then yes, most of the 
> comments in this thread have merit.

Ok technically speaking SSL/TLS is not part of SASL. But the two are
related. Maybe I'm biased by the fact that most of the connections I see
are SSL+plaintext. So I was referring to SSL keys actually.

I have to say I'm not familiar with CRAM-MD5/DIGEST-MD5. But in the latter
the channel can be encrypted, so I guess at some point a shared session
key is generated.

> -Rob
> (Hmmm, its possible that the SRP plugin is using this for something 
> else, I'm not familiar enough with SRP and would have to ask Ken).

       ____/  ____/   /
      /      /       /			Marco Colombo
     ___/  ___  /   /		      Technical Manager
    /          /   /			 ESI s.r.l.
  _____/ _____/  _/		       Colombo at

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list