[Date Prev][Date Next] [Chronological] [Thread] [Top]

2829 questions

To: ietf-ldapbis@OpenLDAP.org
Subject: 2829 questions
From: Rob Byrne <rbyrne@france.sun.com>
Date: Fri, 22 Dec 2000 09:09:54 +0100
Organization: Sun Microsystems

I posted this on ldapext...hope it's in the right place now!

Hi Authentication Guys,

A few questions come to mind when thinking about Authentication as used
by the acl draft...

1. reading 2829bis it sounds like DIGEST-MD5 is mandatory ONLY IF your
server
supports password based authentication because of Section 4 point 2:

"(2) Implementations providing password-based authenticated access
       MUST support authentication using the DIGEST-MD5 SASL mechanism
       [4], as described in section 6.1."

...but the following makes it sound mandatory to provide BOTH password
authentication AND DIGEST-MD5:

"6.2. Digest authentication

   LDAP implementations MUST support authentication with a password
   using the DIGEST-MD5 SASL mechanism for password protection, as
   defined in section 6.1."

The thing is for acl it would be nice (though not critical) to be able
to default the required authentication level for a subject to a single
"fairly secure" mechanism--if there is no such mandatory authentication
scheme then you cannot do that.

2. I think it would be good to have some
comments or explicit reference to a place where the security properties
of the particular mandatory authentication schemes are outlined.  When I
say "security properties" I mean stuff like "This scheme is vulnerable
to such and such attacks, is only safe if the key size is > 50, this
hash is widely considered the best, etc...".  I think an LDAP
implementor is likely to be interested in that information, without
having to wade through the security RFCs.

3. This is a question rather than a suggestion for a change to
2829...again on
the subject of authentication level, is it possible to
define an ordering on authentication levels which defines their relative
"strengths" ? This would be useful in acl as you could say things like
"a given aci grants access to a given subject at this authentication
level AND ABOVE".  David Chadwick raised this before in the context of
denying access to a subject at a given authentication level, in which
case he wanted to express "deny access to this subject at this
authentication level AND TO ALL IDENTITIES AUTHENTICATED BELOW THAT
LEVEL". 

Rob.

Follow-Ups:
- Re: 2829 questions
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

Prev by Date: Re: DN "Relationship with LDAPv2 and RFC1779" Removal
Next by Date: Re: 2829 questions
Index(es):
- Chronological
- Thread