On Mon Dec 10 19:33:28 2007, Tony Finch wrote:
From the client's perspective, yes. However in normal SASL-over-TLS
scenarios the client is not authenticated to the server by TLS -
after
all, that's why you are doing SASL. So the server wants to be sure
that it
is talking directly to the client that it is authenticating, so it
uses
channel binding to force the authentication to fail if the client is
bogus. The key is that you can't be sure that you have proper
*mutual*
authentication if the privacy layer isn't bound to the
authentication
layer.
Right - it's quite easy to read that article thinking that Alice is a
client, and Bob the server, but it's all true in the other direction,
too.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
