On 10/12/12 3:44 PM, Stephen Frost wrote:
> wrt future-proofing, I don't like the "#-of-iterations" approach. There
> are a number of examples of how to deal with multiple encryption types
> being supported by a protocol, I'd expect hash'ing could be done in the
> same way. For example, Negotiate, SSL, Kerberos, GSSAPI, all have ways
> of dealing with multiple encryption/hashing options being supported.
> Multiple iterations could be supported through that same mechanism (as
> des/des3 were both supported by Kerberos for quite some time).
>
> In general, I think it's good to build on existing implementations where
> possible. Perhaps we could even consider using something which already
> exists for this?
Sounds like SASL to me.