[Standards] rfc3920bis: SASL "fallback" on auth failure

Alexey Melnikov alexey.melnikov at isode.com
Wed Mar 26 17:10:27 UTC 2008

Joe Hildebrand wrote:

> On Mar 26, 2008, at 5:11 AM, Alexey Melnikov wrote:
>>>> - If not, and we can use a negotiated security layer, what happens
>>>> when you try to switch to a SASL mechanism that doesn't support that
>>>> security layer?
>>> If the client's minimum security level requires a security layer,  
>>> then the client should never pick a mechanism that does not have one.
>> Exactly. The client should require some minimal security layer from  
>> TLS and/or SASL.
> My point is what happens if the first (failing) mechanism had  
> negotiated a security layer as a prelude to doing authentication?

This is not possible in SASL. A security layer can only be enabled if 
authentication is successful.

> Is  that security layer still in effect when you try the new 
> mechanism?   If the new mechanism negotiates it's own security layer, 
> will there be  multiple layers in effect?

More information about the Standards mailing list