Re: Information about SASL and LDAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 01/12/2011 07:26, Patrick Ben Koetter wrote:
* Carson Gaspar<carson@xxxxxxxxxx>:
On 11/30/2011 4:18 PM, Howard Chu wrote:
On 30/11/11 11:16 +0100, Christian Roessner wrote:
cmusaslsecretDIGEST-MD5 and

As I recall these are all plaintext-equivalents; i.e. there is no
security benefit from using these pre-hashed values, so they've been
deprecated already. The plugins will retrieve and use them if they're
present, but nothing creates them.
They are _not_ plaintext equivalents. They are realm-limited, so
compromise is limited to just the set of services sharing that realm
(in many cases a single service). i.e. they don't let me use your
password to log in to gmail, or get a shell on your box.

The fact that the cyrus folks decided to deprecate these in favor of
Are they really deprecated? Because if they are its no use to document them
which is something I am working on.
I would like to deprecate the CRAM-MD5 and the NTLM one, mostly because the mechanisms are so weak. But last time I've tried I got objections from somebody saying that they have a web application that can generate cmusaslsecretCRAM-MD5 and it relies on the CRAM-MD5 plugin being able to read it.

For the time being I don't think that cmusaslsecretDIGEST-MD5 should be considered deprecated.

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux