[Date Prev][Date Next] [Chronological] [Thread] [Top]

Should response-auth be optional for digest authentication in authmeth?

To: ietf-ldapbis@OpenLDAP.org
Subject: Should response-auth be optional for digest authentication in authmeth?
From: Mark Ennis <mark.ennis@adacel.com>
Date: Tue, 15 Apr 2003 15:48:24 +1000
In-reply-to: <200303071153.GAA21309@ietf.org>
References: <200303071153.GAA21309@ietf.org>
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3) Gecko/20030312

The current draft of authmeth (draft-ietf-ldapbis-authmeth-05.txt) indicates, in section 8.2 paragraph 6, that the response-auth SASL message is only included in the bind response for a successful bind when the server supports subsequent authentication. This seems counter to the intention of RFC2831 section 2.1.3 which indicates that the response-auth should always be returned.

The response-auth provides one of the security aspects documented in RFC2831, that of protection against "Spoofing by counterfeit servers" (section 3.8). RFC2617, upon which RFC2831 is based, describes this protection as "The optional response digest in the "response-auth" directive supports mutual authentication -- the server proves that it knows the user's secret, and with qop=auth-int also provides limited integrity protection of the response.". Note that response-auth is optional in RFC2617, but not (in my opinion) in RFC2831.

Was this diversion from the apparent intention of RFC2831 intentional and if so, what is the reasoning behind weakening the authentication procedure in this way?

Regards,
	Mark Ennis

Prev by Date: RE: Extensibility of SearchRequest.attributes
Next by Date: LDAP URL extension value escapement
Index(es):
- Chronological
- Thread