[Standards] rfc3920bis: SASL "fallback" on auth failure
alexey.melnikov at isode.com
Wed Mar 26 17:10:27 UTC 2008
Joe Hildebrand wrote:
> On Mar 26, 2008, at 5:11 AM, Alexey Melnikov wrote:
>>>> - If not, and we can use a negotiated security layer, what happens
>>>> when you try to switch to a SASL mechanism that doesn't support that
>>>> security layer?
>>> If the client's minimum security level requires a security layer,
>>> then the client should never pick a mechanism that does not have one.
>> Exactly. The client should require some minimal security layer from
>> TLS and/or SASL.
> My point is what happens if the first (failing) mechanism had
> negotiated a security layer as a prelude to doing authentication?
This is not possible in SASL. A security layer can only be enabled if
authentication is successful.
> Is that security layer still in effect when you try the new
> mechanism? If the new mechanism negotiates it's own security layer,
> will there be multiple layers in effect?
More information about the Standards