quanah@zimbra.com wrote:
--On Monday, October 29, 2007 8:13 PM +0000 hyc@symas.com wrote:
You really need to read more carefully. If you only care about the overall SSF, regardless of whether it's from TLS or SASL, then just use the "ssf" factor. --
Nice, in theory, but I think my example was bad. So let's rehash.
When I was at Stanford, the SASL SSF max was 56, because of the DES keys. The TLS SSF was 128. So how would I indicate that I want EITHER a SASL SSF of 56 or a TLS SSF of 128 using the security directive?
You don't. That would open you up to a downgrade attack.