Eliot
On Wed, Mar 09, 2005 at 03:54:35PM -0600, Eliot Lear wrote:
d) Section 1.1:
The SASL profile used by BEEP allows for a simple and direct mapping to the existing security model for CLI, while TLS provides a strong well tested encryption mechanism with either server or server and client-side authentication.
I learned in the ISMS WG that SASL over TLS is not necessarily secure. Has beep fixed this problem or do we better explain the issue here and/or in the security considerations section?
Can you please elaborate? I can envision problems where if client-side certificates are in use and EXTERNAL SASL was in play. Is that what you are referring to? Wes would you care to comment?
My understanding is that common SASL usage in combination with TLS lacks a cryptographic binding of the authentication exchange with the underlying secure transport. Wes surely can explain that better
than I can do. I am just wondering whether BEEP "suffers" from the
same problem or not.
/js
-- to unsubscribe send a message to netconf-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/netconf/>