Joe Hildebrand wrote:
On Mar 26, 2008, at 5:11 AM, Alexey Melnikov wrote:
- If not, and we can use a negotiated security layer, what happens
when you try to switch to a SASL mechanism that doesn't support that
security layer?
If the client's minimum security level requires a security layer,
then the client should never pick a mechanism that does not have one.
Exactly. The client should require some minimal security layer from
TLS and/or SASL.
My point is what happens if the first (failing) mechanism had
negotiated a security layer as a prelude to doing authentication?
This is not possible in SASL. A security layer can only be enabled if
authentication is successful.
Is that security layer still in effect when you try the new
mechanism? If the new mechanism negotiates it's own security layer,
will there be multiple layers in effect?