On Thu, Dec 18, 2008 at 11:19:44PM +0100, Peter Rosin wrote: > Den 2008-12-17 11:53 skrev Daniel P. Berrange: > >On Wed, Dec 17, 2008 at 08:56:02AM +0100, Peter Rosin wrote: > >NB, there are only two common SASL mechanisms which provide SSF layers, > >GSSAPI (Kerberos) and DIGEST-MD5. DIGEST-MD5 is deprecated as it is > >considered to be an insufficiently secure negiation. The other SASL > >mechanisms all rely on the underlying connection to provide encryption. > >As such, with exception of people using Kerberos, for SASL to be secure > >you'd want to have the VeNCrypt security type active with one of its > >x590 based modes, or tunnelling over SSH, or another TLS like protocol > >extension (VINO has one - Security type 18, TLS - but as currently > >implemented it is not sufficiently strong because it uses anonymous > >diffie-hellman credentials instead of x590 certs - this is to be fixed). > > But can you really use the VeNCrypt security type like that without > extending its spec (or using unofficial numbers)? What VeNCrypt subtypes > do you plan to use to activate TLS/X509 and at the same time trigger > the SASL security type? It seems that there is need for two new > VeNCrypt subtypes (TLSSASL and X509SASL or something) for VeNCrypt and > SASL to mix nicely.
Yes indeed. I've already discussed this with Stewart Becker, who has allocated sub-types for SASL within VeNCrypt. I'll include these details when i update the spec. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
