On 11/17/09 12:52 AM, Alexey Melnikov wrote: > Tobias Markmann wrote: >> Hi, > Hi Tobias, >> According to 3920bis-03 there are this two errors defined: >> mechanism-invalid [1] and mechanism-too-weak [2]. I think >> mechanism-invalid would be sufficient. >> >> SASL usually works the way that first the server advertises what it >> supports and then the client gets to choose. A client selecting a >> mechanism which hasn't advertised is quite broken in my opinion. > I agree. > But there might be another use case for the error code - selection of a > mechanism which is considered too weak for a particular user. In such > case the server would advertise the mechanism to everybody, but return > the error for some users. That was the intent for mechanism-too-weak. For example, if you want to authenticate as an administrative user then you might not be allowed to use a weaker mechanism (even if the server offered it to you because it didn't know who you were at that point). Peter -- Peter Saint-Andre https://stpeter.im/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.