Re: Cyrus POP3 Issue

• Previous message: ML mail: "unixhierarchysep with virtdomains"
• Maybe in reply to: L. Mark Stone: "Cyrus POP3 Issue"
• Next in thread: Rob Siemborski: "Re: Cyrus POP3 Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rob Siemborski wrote:
> SASL doesn't generate *keys* using this, it generates *nonces*, which
> are known to the attacker anyway, since they are transmitted in the
> clear anyway. It just matters that they don't repeat often enough to
> bother precomputing values for.
>
> If SASL was using this for key generation, then yes, most of the
> comments in this thread have merit.

Ok technically speaking SSL/TLS is not part of SASL. But the two are
related. Maybe I'm biased by the fact that most of the connections I see
are SSL+plaintext. So I was referring to SSL keys actually.

I have to say I'm not familiar with CRAM-MD5/DIGEST-MD5. But in the latter
the channel can be encrypted, so I guess at some point a shared session
key is generated.

> -Rob
>
> (Hmmm, its possible that the SRP plugin is using this for something
> else, I'm not familiar enough with SRP and would have to ask Ken).
>

.TM.

-- 
       ____/  ____/   /
      /      /       /			Marco Colombo
     ___/  ___  /   /		      Technical Manager
    /          /   /			 ESI s.r.l.
  _____/ _____/  _/		       
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

• Previous message: ML mail: "unixhierarchysep with virtdomains"
• Maybe in reply to: L. Mark Stone: "Cyrus POP3 Issue"
• Next in thread: Rob Siemborski: "Re: Cyrus POP3 Issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]