[Standards] rfc3920bis: SASL "fallback" on auth failure

Alexey Melnikov alexey.melnikov at isode.com
Wed Mar 26 10:34:59 UTC 2008


Ralph Meijer wrote:

>On Tue, 2008-03-25 at 15:16 -0600, Peter Saint-Andre wrote:
>  
>
>>Evan Schoenberg of the Adium project pinged offlist regarding the proper
>>behavior for a client to follow if SASL authentication fails using one
>>mechanism but other mechanisms are available.
>>[..]
>>    
>>
>If one mechanism fails with <not-authorized/>, why would another one
>succeed, exactly?
>
Because different mechanisms might be using different authentication 
databases. For example DIGEST-MD5 and GSSAPI.

>I would say that a client should choose one mechanism
>that is offered by the server (maybe the 'strongest', whatever that is)
>and stick to it.
>
>Note that for other failures, like <mechanism-too-weak/>, changing
>mechanisms might be useful.
>  
>




More information about the Standards mailing list