SASL is an acronym; it stands for Simple Authentication and Security Layer.

SASL is a generic protocol framework for doing various sorts of
authentication between clients and server. In SASL termology, application
protocols such as POP, IMAP, and SMTP specify a "SASL profile," which
describes how to encapsulate SASL negotiation and SASL messages for that
protocol. Different authentication schemes are called "mechanisms" in the
SASL framework.

How does this relate to Kerberos? One of the supported mechanisms for SASL
is GSSAPI, and since Kerberos is one of the standardized GSSAPI mechanisms,
protocols that use SASL for authentication support Kerberos authentication
via the GSSAPI.

It's important to clarify one thing: while a protocol may support SASL, it's
not required that applications that implement that protocol support all
security mechanisms. In other words, a particular mail reader may support
SASL, but it might not support the GSSAPI mechanism. You need to talk to the
vendor to find out which mechanisms each application supports.

SASL is described by the following RFC:

   * RFC 2222 - <http://www.ietf.org/rfc/rfc2222.txt>

Some example of SASL profiles for application protocols are:

POP
     RFC 1734 - <http://www.ietf.org/rfc/rfc1734.txt>

IMAP
     RFC 1731 - <http://www.ietf.org/rfc/rfc1731.txt>>

SMTP
     RFC 2554 - <http://www.ietf.org/rfc/rfc2554.txt>

A number of SASL libraries are available for programmers who don't wish to
write their own SASL code. The most common open-source one is Cyrus SASL.
It's available at:

   * <ftp://ftp.andrew.cmu.edu/pub/cyrus-mail>

© 2008 FAQS.ORG. All rights reserved.