SASL mechanism selection is based on properties right now, that specify only a few very limited criteria.

We should provide a better selection mechanism that allows selection based on the following criteria:

• Specify requirements of the mechanism itself
  • Algorithm usage
  • Key length (where applicable)
  • Parameters similar to existing Sasl ones, like:
    • QOP
    • Forward secrecy
    • Plaintext
    • Active attack susceptibility
    • etc.
• Specify requirements around the mechanism's circumstance
  • Restrict by enclosing channel security
    • Require TLS cipher suite parameters (using existing database parameters)
    • Require channel binding

In the end the client or server user should be able specify SASL mechanism usage using expressions that can express things like:

• Use PLAIN only if TLS is in use with AES encryption
• Use EXTERNAL only if TLS is in use
• Use no SASL mechanisms employing weak hash algorithms (MD5 and worse)
• Use only SASL mechanisms employing SHA-256
• Use only SASL mechanisms that provide channel binding and require TLS
• Use only ANONYMOUS