[Jabber-IETF] SASL issues

Marshall Rose mrose+internet.ietf.jabber at dbc.mtview.ca.us
Thu Oct 10 15:55:49 CDT 2002


> >     1b. does the sasl stuff in the xmpp spec provide the security we want?
> >         [completeness]
> 
> You require TLS as well, of course, to achieve confidentiality.

not true. the "sl" in "sasl" refers to "security layer" which is the term that sasl uses to refer to message integrity and privacy.

for example, if i try to negotiate the use of the sasl mechanism digest-md5. in addition to authentication, i may also ask for message-integrity or integrity+privacy. you don't need to use tls for privacy.

as to whether or not you want to use tls, that's really a provisioning issue, not a protocol issue.

/mtr



More information about the xmppwg mailing list