[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth (Was: Bind and StrongAuthRequired)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: authmeth (Was: Bind and StrongAuthRequired)
From: Mark Wahl <Mark.Wahl@sun.com>
Date: Mon, 29 Jul 2002 14:11:41 -0500
Cc: Simon Spero <ses@unc.edu>, ietf-ldapbis@OpenLDAP.org
References: <5.1.0.14.0.20020726202131.02df6790@127.0.0.1>

"Kurt D. Zeilenga" wrote:
> 
> I also suggest that implementation of DIGEST-MD5
> integrity protections be made REQUIRED and
> data confidentiality RECOMMENDED.  Integrity
> protections, in particular, are necessary to
> prevent hijack attacks.

That would seem to be a new requirement beyond what was required for 
LDAPv3.  Existing implementations of DIGEST-MD5 in LDAPv3 which support only
password protection would thus not interoperate if an implementation of 
LDAPv3bis required integrity protection.   But I don't see an 
interoperability problem with current implementations, and whether hijack
attacks is possible or likely depends on the network environment.  What is 
the case for other protocols with similar deployment issues like perhaps 
IMAP that use SASL?  Do they mandate integrity protection?  

I suggest we separate solving _interoperability_ problems from new features
and new requirements.

Mark Wahl
Sun Microsystems Inc.

Follow-Ups:
- Re: authmeth (Was: Bind and StrongAuthRequired)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- authmeth (Was: Bind and StrongAuthRequired)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: authmeth (Was: Bind and StrongAuthRequired)
Next by Date: Re: authmeth (Was: Bind and StrongAuthRequired)
Index(es):
- Chronological
- Thread