Graham Barr wrote: > On Feb 22, 2006, at 4:19 AM, Simon Wilkinson wrote: >> I've got a security layers patch for Authen::SASL which should be done >> by the end of the week, if you could wait till then? > > Are these changes ready to commit ?
No - I hit upon some problems that I haven't yet had time to investigate fully. Don't wait for me! It may be worth adding a warning to the DESCRIPTION section along the lines of "Please note that this module does not currently implement a SASL security layer following authentication. Unless the connection is protected by other means, such as TLS, it will be vulnerable to man-in-the-middle attacks. If security layers are required, then the Authen::SASL::Cyrus GSSAPI module should be used instead." Cheers, Simon.
