List Info

Thread: Re: rfc3920bis: SASL "fallback" on auth failure
Re: rfc3920bis: SASL "fallback" on auth failure
country flaguser name
United Kingdom		 2008-03-26 05:34:59 
Ralph Meijer wrote:

>On Tue, 2008-03-25 at 15:16 -0600, Peter Saint-Andre
wrote:
>  
>
>>Evan Schoenberg of the Adium project pinged offlist
regarding the proper
>>behavior for a client to follow if SASL
authentication fails using one
>>mechanism but other mechanisms are available.
>>[..]
>>    
>>
>If one mechanism fails with <not-authorized/>, why
would another one
>succeed, exactly?
>
Because different mechanisms might be using different
authentication 
databases. For example DIGEST-MD5 and GSSAPI.

>I would say that a client should choose one mechanism
>that is offered by the server (maybe the 'strongest',
whatever that is)
>and stick to it.
>
>Note that for other failures, like
<mechanism-too-weak/>, changing
>mechanisms might be useful.
>  
>
Re: rfc3920bis: SASL "fallback" on auth failure
user name
 2008-03-26 05:48:52 
Alexey Melnikov pisze:
> Ralph Meijer wrote:
>> On Tue, 2008-03-25 at 15:16 -0600, Peter
Saint-Andre wrote:
>>> Evan Schoenberg of the Adium project pinged
offlist regarding the proper
>>> behavior for a client to follow if SASL
authentication fails using one
>>> mechanism but other mechanisms are available.
>>> [..]
>> If one mechanism fails with
<not-authorized/>, why would another one
>> succeed, exactly?
> Because different mechanisms might be using different
authentication 
> databases. For example DIGEST-MD5 and GSSAPI.
Is it usually possible for the server to know that failure
was caused by 
using wrong method? If yes, maybe it would be worth adding a
different 
error for this case?

-- 
Maciek
  xmpp:machekkuuaznia.net
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )