On Fri, Oct 29, 2004 at 03:17:29PM -0400, Kevin wrote:
> > Check the SSF (security strength factor) value. It should be 128 for
> > DIGEST-MD5. You may
> > also just tcpdump the traffic.
>
> Isn't the SSF addressing only the issue of the credentials (as opposed
> to the content)? I see the same SSF when I use non-encrypted
> connections. I've tried using tcpdump, but I don't have enough
> experience with it yet to make a clear determination. Just thought I'd
> see how you were coming to that conclusion.
Check out RFC 2831, section 2.3: (http://www.ietf.org/rfc/rfc2831.txt)
(This is the digest-md5 sasl mechanism rfc)
2.4 Confidentiality Protection
If the server sent a "cipher-opts" directive and the client responded
with a "cipher" directive, then subsequent messages between the
client and the server MUST be confidentiality protected.
Section 2.3 is about integrity protection.
So, the client can request confidentiality and integrity protection with
digest-md5.
And it will protect the whole data exchange, not just authentication.
This was also discussed on a related thread at the cyrus-imapd mailing list:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=31051
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
|
