I am definitely not an expert on SASL, and it seems to me a rather specialized issue. It is a protocol that allows client and server to negotiate an authentication mechanism. SASL is used by LDAPv3 and IMAP. However, if all you want is talk to LDAP or IMAP servers, then you need not worry about SASL--the JNDI and JavaMail APIs have the necessary plumbing built-in. You would worry about SASL if you wanted to implement your own client and server application and have the benefits of the SASL protocol. According to http://java.sun.com/j2se/5.0/docs/guide/security/sasl/sasl-refguide.html, SASL is more lightweight than using SSL or Kerberos (via Java GSS).