Re: authmeth (Was: Bind and StrongAuthRequired)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

For now, let's table this issue (as an LDAPbis issue).

Those interested in discussing the larger SASL/DIGEST-MD5
security layer issue should participate in SASL mailing
list <ietf-sasl@imc.org> discussions.  I am sure this
issue will come up in their RFC2831bis work.

(Note that we're presently deferring our RFC 2831 work
item to the SASL mailing list as they are appear better
suited to do this engineering.)

Kurt

At 12:11 PM 2002-07-29, Mark Wahl wrote:
>"Kurt D. Zeilenga" wrote:
>> 
>> I also suggest that implementation of DIGEST-MD5
>> integrity protections be made REQUIRED and
>> data confidentiality RECOMMENDED.  Integrity
>> protections, in particular, are necessary to
>> prevent hijack attacks.
>
>That would seem to be a new requirement beyond what was required for 
>LDAPv3.  Existing implementations of DIGEST-MD5 in LDAPv3 which support only
>password protection would thus not interoperate if an implementation of 
>LDAPv3bis required integrity protection.   But I don't see an 
>interoperability problem with current implementations, and whether hijack
>attacks is possible or likely depends on the network environment.  What is 
>the case for other protocols with similar deployment issues like perhaps 
>IMAP that use SASL?  Do they mandate integrity protection?  
>
>I suggest we separate solving _interoperability_ problems from new features
>and new requirements.
>
>Mark Wahl
>Sun Microsystems Inc.