On Fri, 11 Mar 2005, Marco Colombo wrote:
Ok technically speaking SSL/TLS is not part of SASL. But the two are related. Maybe I'm biased by the fact that most of the connections I see are SSL+plaintext. So I was referring to SSL keys actually.
Sure, or, say, kerberos keys.
For what SASL is using it for, its a far lesser sin.
I have to say I'm not familiar with CRAM-MD5/DIGEST-MD5. But in the latter the channel can be encrypted, so I guess at some point a shared session key is generated.
Yes, there is a session key here, but the information it is based off of is the nonces (as I said, they need to be sent in the clear anyway, so coming from urandom doesn't matter that much), the shared secret, and some static text.
See RFC 2831.
-Rob
--------------------------------------------------------------------- Rob Siemborski
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
