[Date Prev][Date Next] [Chronological] [Thread] [Top]

Clarification required in RFC 2831 - DIGEST-MD5

To: ietf-ldapbis@OpenLDAP.org
Subject: Clarification required in RFC 2831 - DIGEST-MD5
From: Jonathan Bruce <jonathan.bruce@sun.com>
Date: Wed, 20 Dec 2000 16:19:48 +0000
Organization: Sun Microsystems

As part of the LDAPbis process there are a number of issues specifically related to RFC
2831 - 'Using Digest Authentication as a SASL Mechanism' that need to be clarified. Kurt
Zeilenga  has asked that I share my concerns with this interest list.

RFC 2831 specifies confidentiality protection (see section 2.4) whereby client-server
communications can be encrypted according to a format laid out in the RFC. The difficulty
arises when either DES or Triple DES ciphers are used for confidentiality protection.

However, RFC 2831 does not specify which DES mode (CBC, ECB, PCBC, CFB, OFB etc. ..),
should be used if DES is the negotiated cipher. This gap in the RFC allows for possible
interoperability issues allowing different vendors to potentiality opt for incompatible
DES modes. 

Possible solutions include ...

1. Add an extra directive in the SASL exchange to allow the SASL client and server to
negotiate a DES mode.

2. RFC 2831 is updated to specify exactly what DES mode should be used in the exchange,
therefore removing any potential DES mode mismatches between the client and server.

-Jonathan Bruce

Java Software JNDI
Sun Microsystems Inc.

Follow-Ups:
- Re: Clarification required in RFC 2831 - DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: present IANA "directory system names" list (aka "short attribute names")
Next by Date: Re: When to transmit binary
Index(es):
- Chronological
- Thread