[Standards] rfc3920bis: SASL "fallback" on auth failure

Joe Hildebrand hildjj at gmail.com
Wed Mar 26 17:07:03 UTC 2008


On Mar 26, 2008, at 5:11 AM, Alexey Melnikov wrote:

>>> - If not, and we can use a negotiated security layer, what happens
>>> when you try to switch to a SASL mechanism that doesn't support that
>>> security layer?
>>>
>> If the client's minimum security level requires a security layer,  
>> then the client should never pick a mechanism that does not have one.
>>
> Exactly. The client should require some minimal security layer from  
> TLS and/or SASL.

My point is what happens if the first (failing) mechanism had  
negotiated a security layer as a prelude to doing authentication?  Is  
that security layer still in effect when you try the new mechanism?   
If the new mechanism negotiates it's own security layer, will there be  
multiple layers in effect?

-- 
Joe Hildebrand




More information about the Standards mailing list