On 9/22/06, Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote:
BTW, the whole concept of absolute security strength factors is broken. After all, the relative strengths of ciphers, hashes, MACs, assymertic cryptographic algorithms (RSA, DH, etc...) and cryptographic protocols built on them are variable over time. And some constructions can be much stronger than the individual components used to build them. IMO the right way to design an API for expressing and enforcing policy relating to the strength of cryptographic systems used, and in the face of pluggable frameworks, is to provide for rules-based profiles that applications and libraries refer to by name, and which mechanisms simply evaluate. Then administrators can write profiles that express the policies that they want.
This is a very interesting point. You probably should point this out at SASL ietf mailing list: http://www.imc.org/ietf-sasl -- Zaar
