[Date Prev][Date Next]
Re: authmeth (Was: Bind and StrongAuthRequired)
"Kurt D. Zeilenga" wrote:
> I also suggest that implementation of DIGEST-MD5
> integrity protections be made REQUIRED and
> data confidentiality RECOMMENDED. Integrity
> protections, in particular, are necessary to
> prevent hijack attacks.
That would seem to be a new requirement beyond what was required for
LDAPv3. Existing implementations of DIGEST-MD5 in LDAPv3 which support only
password protection would thus not interoperate if an implementation of
LDAPv3bis required integrity protection. But I don't see an
interoperability problem with current implementations, and whether hijack
attacks is possible or likely depends on the network environment. What is
the case for other protocols with similar deployment issues like perhaps
IMAP that use SASL? Do they mandate integrity protection?
I suggest we separate solving _interoperability_ problems from new features
and new requirements.
Sun Microsystems Inc.